Page of 351
Download Table of contents Bookmark
®
Netopia
Software User Guide
Version 7.6
Netopia
®
2200 and 3300 Series Gateways
April 2006

   Related Manuals for Netopia 2200 series

   Summary of Contents for Netopia 2200 series

  • Page 1

    ® Netopia Software User Guide Version 7.6 Netopia ® 2200 and 3300 Series Gateways April 2006...

  • Page 2: Copyright

    Netopia, the Netopia logo, and 3-D Reach are registered trademarks belonging to Netopia, Inc., registered U.S. Patent and Trademark Office. Broadband Without Boundaries is a trademark belonging to Netopia, Inc. All other trademarks are the property of their respec- tive owners. All rights reserved.

  • Page 3: Table Of Contents

    INSTALLATION DER TELEKOMMUNIKATION ....21 Setting up the Netopia Gateway ......22 Microsoft Windows: .

  • Page 4: Table Of Contents

    Table of Contents Status Details ..........34 Enable Remote Management .

  • Page 5: Table Of Contents

    Firewall ..........125 Use a Netopia Firewall ....... . 125 BreakWater Basic Firewall .

  • Page 6: Table Of Contents

    Table of Contents SafeHarbour IPSec VPN ........131 Configuring a SafeHarbour VPN .

  • Page 7: Table Of Contents

    Step 1: Required Files ........181 Step 2: Netopia firmware Image File ......181 Install Keys .

  • Page 8: Table Of Contents

    Table of Contents Command Line Interface ..... . . 221 CHAPTER 6 Overview ......... 222 Starting and Ending a CLI Session .

  • Page 9: Table Of Contents

    Table of Contents Default IP Gateway Settings ......254 IP-over-PPP Settings ....... . 254 Static ARP Settings .

  • Page 10: Table Of Contents

    Table of Contents Glossary ....... . . 311 CHAPTER 7 -----A----- .

  • Page 11: Table Of Contents

    Network Address Translation (NAT)..... . 339 Netopia Advanced Features for NAT ..... 341 Internal Servers .

  • Page 12

    Table of Contents VPN IPSec Pass Through ......343 VPN IPSec Tunnel Termination......344 Stateful Inspection Firewall .

  • Page 13: What's New In 7.6, Chapter 1 Introduction

    What’s New in 7.6 CHAPTER 1 Introduction What’s New in 7.6 New in Netopia Firmware Version 7.6 are the following features: • TR-069 CLI Enhancements. See “TR-069” on page 300. • Variable wireless transmission power control CLI command. See page 293.

  • Page 14: About Netopia Documentation, Intended Audience

    LAN to have public addresses directly on the Internet. Netopia, Inc. provides a suite of technical information for its 2200- and 3300-series family of intelligent enterprise and consumer Gateways. It consists of: •...

  • Page 15: Documentation Conventions, General, Internal Web Interface, Command Line Interface

    Denotes an area of emphasis on a Web page solid rounded rectangle with an arrow Command Line Interface Syntax conventions for the Netopia Gateway command line interface are as follows: Convention Description straight ([ ]) brackets in cmd line Optional command arguments...

  • Page 16

    curly ({ }) brackets, with values sep- Alternative values for an argument are pre- arated with vertical bars (|). sented in curly ({ }) brackets, with values separated with vertical bars (|). User-entered text bold terminal type face Variables for which you supply your own val- italic terminal type face...

  • Page 17: Organization, A Word About Example Screens

    This guide consists of nine chapters, including a glossary, and an index. It is organized as follows: Chapter 1, “Introduction” — Describes the Netopia document suite, the purpose of, • the audience for, and structure of this guide. It gives a table of conventions.

  • Page 19: Chapter 2 Basic Mode Setup

    Most users will find that the basic Quickstart configuration is all that they ever need to use. This section may be all that you ever need to configure and use your Netopia Gateway. The following instructions cover installation in Router Mode.

  • Page 20: Important Safety Instructions, Power Supply Installation, Telecommunication Installation

    Important Safety Instructions POWER SUPPLY INSTALLATION Connect the power supply cord to the power jack on the Netopia Gateway. Plug the power supply into an appropriate electrical outlet. ☛ CAUTION: Depending on the power supply provided with the product, either the direct plug-in power supply blades, power supply cord plug or the appliance coupler serves as the mains power disconnect.

  • Page 21: Wichtige Sicherheitshinweise, Netzteil Installieren, Installation Der Telekommunikation

    Wichtige Sicherheitshinweise Wichtige Sicherheitshinweise NETZTEIL INSTALLIEREN Verbinden Sie das Kabel vom Netzteil mit dem Power-Anschluss an dem Netopia Gateway. Stecken Sie dann das Netzteil in eine Netzsteckdose. ☛ Achtung: Abhängig von dem mit dem Produkt gelieferten Netzteil, entweder die direkten Steckernetzgeräte, Stecker vom Netzkabel oder der Gerätekoppler dienen als...

  • Page 22: Setting Up The Netopia Gateway, Microsoft Windows

    Setting up the Netopia Gateway Refer to your Quickstart Guide for instructions on how to connect your Netopia gateway to your power source, PC or local area network, and your Internet access point, whether it is a dedicated DSL outlet or a DSL or cable modem. Different Netopia Gateway models are supplied for any of these connections.

  • Page 23

    Setting up the Netopia Gateway b. Some Windows Start menu -> Control Panel -> Network and Internet Connections -> versions follow a Network Connections -> Local Area Connection -> Properties -> Inter- path like this: net Protocol [TCP/IP] -> Properties Then go to Step 2.

  • Page 24: Macintosh Macos 8 Or Higher Or Mac Os X

    Macintosh MacOS 8 or higher or Mac OS X: Step 1. Access the TCP/IP or Network control panel. a. MacOS follows a Apple Menu -> Control Panels -> TCP/IP Control Panel path like this:...

  • Page 25

    Apple Menu -> System Preferences -> Network a path like this: Then go to Step 2. Step 2. Select Built-in Ethernet Step 3. Select Configure Using DHCP Step 4. Close and Save, if prompted. Proceed to “Configuring the Netopia Gateway” on page...

  • Page 26

    Gateway. The User account provides monitor capability only. • A user may NOT change the configuration, perform upgrades or invoke maintenance functions. For the security of your connection, an Admin password must be set on the Netopia unit.

  • Page 27: Configuring The Netopia Gateway, Miavo Vdsl And Ethernet Wan Models Quickstart

    Configuring the Netopia Gateway MiAVo VDSL and Ethernet WAN models Quickstart The browser then displays the Quickstart page. Click the Connect to the Internet button. Once a connection is established, your browser is redirected to your service provider’s home page or a registration page on the Internet.

  • Page 28: Pppoe Quickstart

    Once you enter your username and password here, you will no longer need to enter them whenever you access the Internet. The Netopia Gateway stores this information and automatically connects you to the Internet. The Gateway displays a message while it configures itself.

  • Page 29

    Configuring the Netopia Gateway When the connection succeeds, your browser will display a success message. Once a connection is established, your browser is redirected to your service provider’s home page or a registration page on the Internet. Congratulations! Your installation is complete. You can now surf to your favorite Web sites by typing an URL in your browser’s location box or by...

  • Page 30: Netopia Gateway Status Indicator Lights

    Netopia Gateway Status Indicator Lights Colored LEDs on your Netopia Gateway indicate the status of various port activity. Different Gateway models have different ports for your connections and different indicator LEDs. The Quickstart Guide accompanying your Netopia Gateway describes the behavior of the various indicator LEDs.

  • Page 31: Home Page - Basic Mode

    Home Page - Basic Mode Home Page - Basic Mode After you have performed the basic Quickstart configuration, any time you log in to your Netopia Gateway you will access the Netopia Gateway Home Page. http://192.168.1.254 You access the Home Page by typing in your Web browser’s loca-...

  • Page 32

    The Home Page displays the following information in the center section: Item Description This is the unique serial number of your Gateway. Serial Number This is the version number of the current embedded software in your Gate- Software way. Release This is the date that your Gateway was installed and enabled.

  • Page 33: Manage My Account

    Home Page - Basic Mode Link: Manage My Account You can change your ISP account information for the Netopia Gateway. You can also man- age other aspects of your account on your service provider’s account management Web site. Manage My Account Click on the link.

  • Page 34: Status Details

    Link: Status Details If you need to diagnose any problems with your Netopia Gateway or its connection to the Internet, you can run a sophisticated diagnostic tool. It checks several aspects of your physical and electronic connection and reports its results on-screen. This can be useful for troubleshooting, or when speaking with a technical support technician.

  • Page 35: Enable Remote Management

    This link allows you to authorize a remotely-located person, such as a support technician, to directly access your Netopia Gateway. This is useful for fixing configuration problems when you need expert help. You can limit the amount of time such a person will have access to your Gateway.

  • Page 36: Expert Mode

    Most users will find that the basic Quickstart configuration is all that they ever need to use. Some users, however, may want to do more advanced configuration. The Netopia Gateway has many advanced features that can be accessed and configured through the Expert Mode pages.

  • Page 37: Update Firmware

    Home Page - Basic Mode Link: Update Firmware (This link is not available on the 3342/3352 models, since firmware updates must be upgraded via the USB host driver.) Periodically, the embedded firmware in your Gateway may be updated to improve the oper- ation or add new features.

  • Page 38: Factory Reset

    Link: Factory Reset In some cases, you may need to clear all the configuration settings and start over again to program the Netopia Gateway. You can perform a factory reset to do this. Factory Reset Click on to reset the Gateway back to its original factory default settings.

  • Page 39: Accessing The Expert Web Interface, Open The Web Connection, Chapter 3 Expert Mode

    Accessing the Expert Web Interface CHAPTER 3 Expert Mode Using the Expert Mode Web-based user interface for the Netopia 2200- and 3300-series Gateway you can configure, troubleshoot, and monitor the status of your Gateway. Accessing the Expert Web Interface Open the Web Connection...

  • Page 40

    Click on the Expert Mode link in the left-hand column of links. You are challenged to confirm your choice. Click The Home Page opens in Expert Mode.

  • Page 41: Home Page - Expert Mode

    Accessing the Expert Web Interface Home Page - Expert Mode The Home Page is the summary page for your Netopia Gateway. The toolbar at the top pro- vides links to controlling, configuring, and monitoring pages. Critical configuration and oper- ational status is displayed in the center section.

  • Page 42: Home Page - Information

    Serial Number Unique serial number, located on label attached to bottom of unit Software Version Release and build number of running Netopia Operating System. Product ID Refers to internal circuit board series; useful in determining which software upgrade applies to your hardware type.

  • Page 43

    Accessing the Expert Web Interface DHCP Server On or Off. ON if using DHCP to get IP addresses for your LAN client machines. DHCP Leases A “lease” is held by each LAN client that has obtained an IP address through DHCP.

  • Page 44: Toolbar, Navigating The Web Interface, Breadcrumb Trail

    Toolbar The toolbar is the dark blue bar at the top of the page containing the major navigation but- tons. These buttons are available from almost every page, allowing you to move freely about the site. Home Configure Troubleshoot Security Install Restart Help...

  • Page 45: Restart

    Restart Restart Button: Restart The Restart button on the toolbar allows you to restart the Gateway at any time. You will be prompted to confirm the restart before any action is taken. The Restart Confirmation mes- sage explains the consequences of and reasons for restarting the Gateway.

  • Page 46: Alert Symbol

    Link: Alert Symbol The Alert symbol appears in the upper right corner if you make a database change; one in which a change is made to the Gateway’s configuration. The Alert serves as a reminder that you must Save the changes and Restart the Gateway before the change will take effect.

  • Page 47: Help

    Help Help Button: Help Context-sensitive Help is provided in your Gateway. The page shown here is displayed when you are on the Home page or other transitional pages. To see a context help page example, Security -> Passwords Help go to , then click...

  • Page 48: Quickstart, How To Use The Quickstart, Setup Your Gateway Using A Ppp Connection

    Configure Button: Configure The Configuration options are presented in the order of likelihood you will need to use them. Quickstart is typically accessed during the hardware installation and initial configu- ration phase. Often, these settings should be changed only in accordance with infor- mation from your Service Provider.

  • Page 49: Configure

    Configure Connect to the Internet Click A brief message is displayed while the Gateway attempts to establish a connection. When the connection succeeds, your browser will display your Service Provider’s home page. If you encounter any problems connecting, refer to the chapters “Basic Troubleshooting”...

  • Page 50

    Link: * Enable Interface: Enables all LAN-connected computers to share resources and to con- nect to the WAN. The Interface should always be enabled unless you are instructed to dis- able it by your Service Provider during troubleshooting. * IP Address: The LAN IP Address of the Gateway. The IP Address you assign to your LAN interface must not be used by another device on your LAN network.

  • Page 51

    Configure • Advanced: Clicking on the Advanced link displays the Advanced LAN IP Interface page. • IGMP Forwarding: The default setting is Disabled. If you check this option, it will enable Internet Group Management Protocol (IGMP) multicast forwarding. IGMP allows a router to determine which host groups have members on a given network segment.

  • Page 52

    Netopia Gateway. If enabled, statically addressed LAN hosts that have an address out- side of LAN subnets will be able to communicate via the Router’s WAN interface to the Internet.

  • Page 53: Wireless

    Configure Wireless (supported models) If your Gateway is a wireless model (such as a 3347W) you can enable or disable the wire- Wireless less LAN (WLAN) by clicking the link. Wireless functionality is enabled by default. If you uncheck the Enable Wireless checkbox, the Wireless Options are disabled, and the Gateway will not provide or broadcast any wireless LAN services.

  • Page 54: Privacy

    ☛ NOTE: On the 2200-Series Gateways, WEP-Manual privacy is enabled by default. Use the Netopia Installation Wizard on the accompanying Netopia CD to gener- ate WEP keys for connecting wireless client computers. Privacy • Off - No Privacy provides no encryption on your wireless LAN data.

  • Page 55

    Configure The Pre Shared Key is a passphrase shared between the Router and the clients and is used to generate dynamically changing keys. The passphrase can be 8-63 characters or up to 64 hex characters. It is recommended to use at least 20 characters for best secu- rity.

  • Page 56

    Submit Click the button. The Alert icon appears. Save and Restart Click the Alert icon, and then the link.

  • Page 57: Advanced

    Configure Advanced Advanced link, the advanced 802.11 Wireless Settings page appears. If you click the Note: This page displays different options depending on which form of Privacy or other...

  • Page 58

    Access Point beacons. If an Access Point beacon is detected on the same channel, the Netopia Gateway will initiate a three- to four-minute scan of the channels, locate a better one, and switch. Once it has switched, it will remain on this channel for at least 30 minutes before switching again if another Access Point is detected.

  • Page 59: About Closed System Mode

    WEP encryption enabled, and must have the same WEP encryption key as the Netopia Gateway. Once the Netopia Gateway is located by a client computer, by setting the client to a match- ing SSID, the client can connect immediately if WEP is not enabled. If WEP is enabled then the client must also have WEP enabled and a matching WEP key.

  • Page 60

    Block Wireless Bridging: Check the checkbox to block wireless clients from communicat- ing with other wireless clients on the LAN side of the Gateway. • WEP - Manual allows you to enter your own encryption keys manually. This is a difficult process, but only needs to be done once.

  • Page 61: Wpa Version Allowed

    Configure Encryption Key #1 – #4: The encryption keys. You enter keys using hexadecimal digits. For 40/64bit encryption, you need ten digits; 26 digits for 128bit, and 58 digits for 256bit WEP. Hexadecimal characters are 0 – 9, and a – f. Examples: •...

  • Page 62: Multiple Ssids

    Multiple SSIDs The Multiple Wireless SSIDs feature allows you to add additional network identifiers (SSIDs or Network Names) for your wireless network. Multiple SSIDs To enable Multiple Wireless SSIDs, click the link. When the Multiple Wireless SSIDs screen appears, check the Enable SSID checkbox for each SSID you want to enable.

  • Page 63: Wireless Mac Authorization

    Configure Privacy modes available from the pull-down menu for the multiple SSIDs are: WPA-PSK, WPA-802.1x, or Off-No Privacy. WEP can also be selected on the additional SSIDs as long as it is not used on the primary SSID. WEP can only be used on one SSID, so any oth- ers will not have WEP available.

  • Page 64

    MAC Authorization To enable Wireless MAC Authentication, click the link. When the Wireless MAC Authentication screen appears, check the Enable Wireless MAC Authorization checkbox: The screen expands as follows: Click the button. The Authorized Wireless MAC Address Entry screen appears.

  • Page 65

    Configure Enter the MAC (hardware) address of the client PC you want to authorize for access to your wireless LAN. The Allow Access? checkbox is enabled by default. Unchecking this check- Submit box specifically denies access from this MAC address. Click the button.

  • Page 66: Use Radius Server

    Use RADIUS Server RADIUS servers allow external authentication of users by means of a remote authentica- tion database. The remote authentication database is maintained by a Remote Authentica- tion Dial-In User Service (RADIUS) server. In conjunction with Wireless User Authentication, you can use a RADIUS server database to authenticate users seeking access to the wire- less services, as well as the authorized user list maintained locally within the Gateway.

  • Page 67

    Configure The Advanced Network Configuration page appears. You access the RADIUS Server configuration screen from the Advanced Network Configura- RADIUS Server tion web page, by clicking the link.

  • Page 68

    Link: WAN IP Interfaces Your IP interfaces are listed. Click on an interface to configure it. IP Gateway Enable Gateway: You can configure the Gateway to send packets to a default gateway if it does not know how to reach the destination host. Interface Type: If you have PPPoE enabled, you can specify that packets destined for unknown hosts will be sent to the gateway being used by the remote PPP peer.

  • Page 69

    RFC-1483 Routed IP None Netopia Firmware Version 7 supports VPI/VCI autodetection by default. If VPI/VCI auto- detection is enabled, the ATM Circuits page displays VPI/VCI = 0. If you configure a new ATM VPI/VCI pair, upon saving and restarting, autodetection is disabled and only the new VPI/VCI pair configuration will be enabled.

  • Page 70

    You can choose UBR (Unspecified Bit Rate), CBR (Constant Bit Rate), or VBR (Variable Bit Rate) from the pull-down menu and set the Peak Cell Rate (PCR) in the editable field. UBR (Unspecified Bit Rate) guarantees no minimum transmission rate. Cells are transmitted on a “best effort”...

  • Page 71

    Configure ☛ Note: The difference between VBR-rt and VBR-nrt is the tolerated Cell Delay Varia- tion range and the provisioned Maximum Burst Size. Class Transmit Priority Comments PCR is a cap High PCR is a guaranteed rate High PCR > SCR. SCR is a guaranteed rate.

  • Page 72

    Link: Advanced Selected Advanced options are discussed in the pages that follow. Many are self-explana- tory or are dictated by your service provider. The following are links under Configure -> Advanced:...

  • Page 73: Ip Static Routes

    Configure Link: IP Static Routes A static route identifies a manually configured pathway to a remote network. Unlike dynamic routes, which are acquired and confirmed periodically from other routers, static routes do not time out. Consequently, static routes are useful when working with PPP, since an intermittent PPP link may make maintenance of dynamic routes problematic.

  • Page 74

    Gateway: Enter the IP address of the gateway for the static route. The default gateway • must be located on a network connected to your Netopia Gateway configured interface. • Metric: Specifies the hop count for the static route. Enter a number from 1 to 15 to indi- cate the number of routes (actual or best guess) a packet must traverse to reach the remote network.

  • Page 75: Ip Static Arp, Pinholes

    Configure , switch to the Save Changes page, and When you are finished, click the Alert icon Save Changes click the link. Link: IP Static ARP Your Gateway maintains a dynamic Address Resolution Protocol (ARP) table to map IP addresses to Ethernet (MAC) addresses. It populates this ARP table dynamically, by retriev- ing IP address/MAC address pairs only when it needs them.

  • Page 76: Planning For Your Pinholes, Example: A Lan Requiring Three Pinholes

    This requires passing three kinds of specific IP traffic through to your LAN. Application 1 : You have a Web server located on your LAN behind your Netopia Gateway and would like users on the Internet to have access to it. With NAT “On”, the only externally visible IP address on your network is the Gateway’s WAN IP (supplied by your Service Pro-...

  • Page 77

    Configure ☛ TIPS for making Pinhole Entries: 1. If the port forwarding feature is required for Web services, ensure that the embedded Web server’s port number is re-assigned PRIOR to any Pinhole data entry. 2. Enter data for one Pinhole at a time. 3.

  • Page 78

    A diagram of this LAN example is: Gateway my-webserver Internet 192.168.1.1 Ethernet Interface 210.219.41.20 Ethernet Interface my-mailserver 192.168.1.2 NAT Pinholes Embedded Web Server my-games 210.219.41.20:8100 192.168.1.3 You can also use the LAN-side address of the Gateway, 192.168.1.x:8100 to access the web and 192.168.1.x:23 to access the telnet server.

  • Page 79

    -> link, select the Servers link. Since Port Forwarding is required for this example, the Netopia embedded Web server is configured first. ☛ NOTE: The two text boxes, Web (HTTP) Server Port and Telnet Server Port, on this page refer to the port numbers of the Netopia Gateway’s embedded admin-...

  • Page 80

    Click . Type your specific data into the Pinhole Entries table of this page. Click Submit Click on the Add or Edit more Pinholes link. Click the button. Add the next Pinhole. Type the specific data for the second Pinhole.

  • Page 81

    Configure Add or Edit more Pinholes Click on the link. Click the button. Add the next Pinhole. Type the specific data for the third Pinhole. ☛ NOTE: Note the following parameters for the “my-games” Pinhole: 1. The Protocol ID is UDP. 2.

  • Page 82: Ipmaps

    IPMaps supports one-to-one Network Address Translation (NAT) for IP addresses assigned to servers, hosts, or specific computers on the LAN side of the Netopia Gateway. A single static or dynamic (DHCP) WAN IP address must be assigned to support other...

  • Page 83: Faqs For The Ipmaps Feature, What Are Ipmaps And How Are They Used

    What are IPMaps and how are they used? The IPMaps feature allows multi- ple static WAN IP addresses to be assigned to the Netopia Gateway. Static WAN IP addresses are used to support specific services, like a web server, mail server, or DNS server.

  • Page 84: Ipmaps Block Diagram

    IPMaps Block Diagram The following diagram shows the IPMaps principle in conjunction with existing Netopia NAT operations: Netopia Gateway WAN Interface LAN Interface Static IP Addresses for IPMaps Applications 192.168.1.1 NAT/PAT Table 143.137.50.37 143.137.50.36 143.137.50.37 192.168.1.1 192.168.1.2 143.137.50.36 192.168.1.2 143.137.50.35 192.168.1.3...

  • Page 85: Default Server

    Configure Link: Default Server This feature allows you to: • Direct your Gateway to forward all externally initiated IP traffic (TCP and UDP protocols only) to a default host on the LAN. • Enable it for certain situations: – Where you cannot anticipate what port number or packet protocol an in-bound appli- cation might use.

  • Page 86: Typical Network Diagram, Nat Combination Application

    You can also use the LAN-side address of the Gateway, 192.168.1.x to access the web and telnet server. NAT Combination Application. Netopia’s NAT security feature allows you to con- figure a sophisticated LAN layout that uses both the Pinhole and Default Server capabili- ties.

  • Page 87: Ip-passthrough

    Configure With this topology, you configure the embedded administration ports as a first task, fol- lowed by the Pinholes and, finally, the NAT Default Server. When using both NAT pinholes and NAT Default Server the Gateway works with the follow- ing rules (in sequence) to forward traffic from the Internet to the LAN: If the packet is a response to an existing connection created by outbound traffic from a LAN PC, forward to that station.

  • Page 88: A Restriction

    The Host Hardware Address field displays. Here you enter the MAC address of the desig- nated IP-Passthrough computer. • If this MAC address is not all zeroes, then it will use DHCP to set the LAN host's address to the (configured or acquired) WAN IP address. The MAC address must be six colon-delimited or dash-delimited sets of hex digits ('0' –...

  • Page 89: Differentiated Services

    Differentiated Services configura- tion screen appears. Netopia Firmware Version 7.6 offers Differentiated Services (Diffserv) enhancements. These enhancements allow your Gateway to make Quality of Service (QoS) decisions about what path Internet traffic, such as Voice over IP (VoIP), should travel across your network.

  • Page 90

    You can then define Custom Flows. If your applications do not provide Quality of Service (QoS) control, Custom Flows allows you to define streams for some protocols, port ranges, and between specific end point addresses. • To define a custom flow, click the button.

  • Page 91

    Configure • Quality of Service (QoS) – This is the Quality of Service setting for the flow, based on the TOS bit information. Select Expedite, Assure, or Off (default) from the pull-down menu. The following table outlines the TOS bit settings and behavior: QoS Setting TOS Bit Value Behavior...

  • Page 92: Dhcp Server

    Link: Your Service Provider may maintain a Domain Name server. If you have the information for the DNS servers, enter it on the DNS page. If your Gateway is configured to use DHCP to obtain its WAN IP address, the DNS information is automatically obtained from that same DHCP Server.

  • Page 93

    Configure Your Service Provider may, for certain services, want to provide configuration from its DHCP servers to the computers on your LANs. In this case, the Gateway will relay the DHCP requests from your computers to a DHCP server in the Service Provider's network. Click the relay-agent and enter the IP address of the Service Provider's DHCP server in the Server Address field.

  • Page 94: Radius Server

    Link: RADIUS Server RADIUS servers allow external authentication of users by means of a remote authentica- tion database. The remote authentication database is maintained by a Remote Authentica- tion Dial-In User Service (RADIUS) server. In conjunction with Wireless User Authentication, you can use a RADIUS server database to authenticate users seeking access to the wire- less services, as well as the authorized user list maintained locally within the Gateway.

  • Page 95: Snmp

    SNMP management station program on a local host to obtain information from an SNMP agent. In this case, the Netopia Gateway is an SNMP agent. Your Gateway supports SNMP-V1, with the exception of most sets (read-only and traps), and SNMP-V2.

  • Page 96

    ☛ WARNING: SNMP presents you with a security issue. The community facility of SNMP behaves somewhat like a password. The community “public” is a well-known community name. It could be used to examine the configu- ration of your Gateway by your service provider or an uninvited reviewer.

  • Page 97: Igmp (internet Group Management Protocol)

    field or sending out company newsletters to a distribution list. Since a router should not be used as a passive forwarding device, Netopia Routers use a protocol for forwarding multicasting: Internet Group Management Protocol (IGMP). Netopia Routers can use either IGMP Version 1 or Version 2.

  • Page 98

    You can set the following options: • IGMP Snooping – checking this checkbox enables the Netopia Gateway to “listen in” to IGMP traffic. The Gateway discovers multicast group membership for the purpose of restricting multicast transmissions to only those ports which have requested them. This helps to reduce overall network traffic from streaming media and other bandwidth-inten-...

  • Page 99

    Configure • Unsolicited Report Interval – the amount of time in seconds between repetitions of a particular computer’s initial report of membership in a group. The default unsolicited report interval is 10 seconds. Querier Version – select a version of the IGMP Querier from the pull-down menu: v1 or •...

  • Page 100: Upnp

    PCs using UPnP can retrieve the Gateway’s WAN IP address, and automatically create NAT port maps. This means that applications that support UPnP, and are used with a UPnP- enabled Netopia Gateway, will not need application layer gateway support on the Netopia Gateway to work through NAT.

  • Page 101: Lan Management

    TR-064 is a LAN-side DSL Gateway configuration specification. It is an extension of UPnP. It defines more services to locally manage the Netopia Gateway. While UPnP allows open access to configure the Gateway's features, TR-064 requires a password to execute any command that changes the Gateway's configuration.

  • Page 102: Advanced -> Ethernet Bridge

    Link: Advanced -> Ethernet Bridge The Netopia Gateway can be used as a bridge, rather than a router. A bridge is a device that joins two networks. As an Internet access device, a bridge connects the home com- puter directly to the service provider’s network equipment with no intervening routing func- tionality, such as Network Address Translation.

  • Page 103

    Configure Configuring for Bridge Mode Browse into the Netopia Gateway’s web interface. Configure Click on the button in the upper Menu bar. Click on the link. The LAN page appears. In the box titled LAN IP Inter- face (Ethernet 100BT): Make note of the Ethernet IP Address and subnet mask.

  • Page 104

    The Ethernet Bridge page appears. The appearance of this page varies, depending on your Gateway’s inter- faces. If available: a. Check the Enable Bridging on Port selection. (This may be Always On.) Submit b. Click If you want the Gateway to do both bridging and routing, check Enable Concurrent Bridging/Routing checkbox.

  • Page 105

    ISP. If you ever need to get back into the Netopia Gateway again for management reasons, you will need to manually configure your machine to be in the same subnet as the Ethernet interface of the Netopia, since DHCP server is not operational in bridge mode.

  • Page 106: Vlan

    Link: VLAN A Virtual Local Area Network (VLAN) is a network of computers that behave as if they are connected to the same wire even though they may be physically located on different seg- ments of a LAN. You set up VLANs by configuring the Gateway software rather than hard- ware.

  • Page 107

    Configure An example of multiple VLANs is shown below: To create a VLAN, click the button. The VLAN Entry page appears. You can create up to 32 VLANs, and you can also restrict any VLAN, and the computers on it, from administering the Gateway.

  • Page 108

    VLAN id – This must be a unique identifying number between 1 and 4095. • VLAN Name – A descriptive name for the VLAN. • • VLAN Protocol – This field is not editable; you can only associate ports with a VLAN. •...

  • Page 109

    Configure For Netopia VGx technology models, separate Ethernet switch ports are displayed and may be configured. To enable any of them on this VLAN, select one, and click the button. Typically you will choose a physical port, such as an Ethernet port (example: ethernet1) or a wireless SSID (example: ssid1), and make the port routable by specifying lan- uplink.

  • Page 110

    You can Add, Edit, or Delete your VLAN entries by returning to the VLANs page, and selecting the appropriate entry from the displayed list.

  • Page 111: System, Syslog Parameters

    Configure Link: System The System Name defaults to your Gateway's factory identifier combined with its serial number. Some cable-oriented Service Providers use the System Name as an important identification and support parameter. The System Name can be 1 – 255 characters long; it can include embedded spaces and special characters.

  • Page 112

    • Syslog: Enable syslog logging in the system. • Syslog Host Name/IP Address: Enter the name or the IP Address of the host that should receive syslog messages. Facility: From the pull-down menu, select the Syslog facility to be used by the router •...

  • Page 113: Log Event Messages

    Configure Log Event Messages Administration Related Log Messages 1. administrative This log-message is generated whenever the user attempts to access access attempted: the router's management interface. 2. administrative This log-message is generated whenever the user attempts to access access authenticated the router's management interface and is successfully authenticated and allowed: and allowed access to the management interface.

  • Page 114

    DSL Log Messages (most common): 1. WAN: Data link This log message is generated when the DSL link comes up. activated at <Rate> Kbps (rx/tx) 2.WAN: Data link This log message is generated when the DSL link goes down. deactivated 3.

  • Page 115

    Configure Access-related Log Messages 6. dropped - frag- This log-message is generated whenever a packet, traversing the mented packet: router, is dropped because it is fragmented, stateful inspection is turned ON on the packet's transmit or receive interface, and deny- fragment option is enabled.

  • Page 116: Internal Servers, Software Hosting

    Pinhole configuration. Web (HTTP) Server Port: To reassign the port number used to access the Netopia embedded Web server, change this value to a value greater than 1024. When you next access the embedded Netopia Web server, append the IP address with <port number>, (e.g.

  • Page 117: List Of Supported Games And Software

    Configure To select the games or software that you want to host for a specific PC, highlight the name(s) in the box on the left side of the screen. Click the button to select the soft- ware that will be hosted. To remove a game or software from the hosted list, highlight the game or software you Remove want to remove and click the...

  • Page 118

    Buddy Phone Calista IP Phone CART Precision Racing, v 1.0 Citrix Metaframe/ICA Client Close Combat for Windows 1.0 Close Combat: A Bridge Too Far, v 2.0 Close Combat III: The Russian Combat Flight Sim: WWII Combat Flight Sim 2: WWII Front, v 1.0 Europe Series, v 1.0 Pacific Thr, v 1.0...

  • Page 119: Rename A User(pc)

    Configure PPTP Quake II Quake III Rainbow Six RealAudio Return to Castle Wolfenstein Roger Wilco Rogue Spear ShoutCast Server SMTP SNMP SSH server StarCraft Starfleet Command StarLancer, v 1.0 Telnet TFTP Tiberian Sun: Command and Conquer Timbuktu Total Annihilation Ultima Online Unreal Tournament Server Urban Assault, v 1.0 VNC, Virtual Network Comput-...

  • Page 120: Clear Options

    ☛ NOTE: The new name given to a server is only known to Software Hosting. It is not used as an identifier in other network functions, such as DNS or DHCP. Link: Clear Options To restore the factory configuration of the Gateway, choose Clear Options. You may want to upload your configuration to a file before performing this function.

  • Page 121: Time Zone

    Configure Link: Time Zone Time Zone When you click the link, the Time Zone page appears. You can set your local time zone by selecting the number of hours your time zone is distant from Greenwich Mean Time (GMT +12 – -12) from the pull-down menu. This allows you to set the time zone for access controls and in general.

  • Page 122: Security

    Security Button: Security The Security features are available by clicking on the Security toolbar button. Some items of this category do not appear when you log on as User.

  • Page 123: Passwords, Create And Change Passwords

    Netopia Gateway settings from unauthorized display or modifica- tion. • Admin level privileges let you display and modify all settings in the Netopia Gateway (Read/Write mode). The Admin level password is created when you first access your Gateway.

  • Page 124

    Netopia Gateway: Select the account type from the Username pull-down list. Choose from Admin or User. If you assigned a password to the Netopia Gateway previously, enter your Old Password current password in the field. Enter your new password in the New Password field.

  • Page 125: Firewall, Use A Netopia Firewall, Breakwater Basic Firewall

    BreakWater Basic Firewall’s three settings are: • ClearSailing ClearSailing, BreakWater's default setting, supports both inbound and outbound traffic. It is the only basic firewall setting that fully interoperates with all other Netopia software features. SilentRunning • Using this level of firewall protection allows transmission of outbound traffic on pre-con- figured TCP/UDP ports.

  • Page 126

    Click on the radio button to select the protection level you want. Click Submit Changing the BreakWater setting does not require a restart to take effect. This makes it easy to change the setting “on the fly,” as your needs change.

  • Page 127: Tips For Making Your Breakwater Basic Firewall Selection, Basic Firewall Background

    Restore SilentRunning when finished. Basic Firewall Background As a device on the Internet, a Netopia Gateway requires an IP address in order to send or receive traffic. The IP traffic sent or received have an associated application port which is dependent on the nature of the connection request.

  • Page 128

    Session Type --------------Port State----------------------- ftp data Enabled Disabled Disabled ftp control Enabled Disabled Disabled telnet external Enabled Disabled Disabled telnet Netopia server Enabled Disabled Disabled http external Enabled Disabled Disabled http Netopia server Enabled Disabled Disabled DHCP client Enabled Enabled...

  • Page 129

    Security ☛ NOTE: The Gateway’s WAN DHCP client port in SilentRunning mode is enabled. This feature allows end users to continue using DHCP-served IP addresses from their Service Providers, while having no identifiable presence on the Internet.

  • Page 130: Ipsec

    Link: IPSec IPSec When you click on the link, the IPSec configuration screen appears. Your Gateway can support two mechanisms for IPSec tunnels: IPSec PassThrough supports Virtual Private Network (VPN) clients running on LAN- • connected computers. Normally, this feature is enabled. You can disable it if your LAN-side VPN client includes its own NAT interoperability option.

  • Page 131: Safeharbour Ipsec Vpn

    Security SafeHarbour IPSec VPN SafeHarbour VPN IPSec Tunnel provides a single, encrypted tunnel to be terminated on the Gateway, making a secure tunnel available for all LAN- connected users. This imple- mentation offers the following: • Eliminates the need for VPN client software on individual PCs. •...

  • Page 132

    A typical SafeHarbour configuration is shown below: Configuring a SafeHarbour VPN Use the following procedure to configure your SafeHarbour tunnel. Obtain your configuration information from your network administrator. The tables “Parameter Descriptions” on page 136 describe the various parameters that may be required for your tunnel.

  • Page 133

    Security Table 1: IPSec Tunnel Details Parameter Setup Worksheet Parameter Netopia Gateway Peer Gateway Name Peer Internal Network Peer Internal Netmask NAT Enable On/Off PAT Address Negotiation Method Main/Aggressive Local ID Type IP Address Subnet Hostname ASCII Local ID Address/Value...

  • Page 134

    Be sure that you have SafeHarbour VPN enabled. SafeHarbour is a keyed feature. See “Install Keys” on page 184. for information con- cerning installing Netopia Software Feature Keys. Check the Enable SafeHarbour IPSec checkbox. Checking this box will automatically display the SafeHarbour IPSec Tunnel Entry parameters.

  • Page 135

    Security Make the Tunnel Details entries. Enter or select the required set- tings. Refer to your “IPSec Tunnel Details Parameter Setup Work- sheet” on page 133.) Click Update Alert button appears. Click the Alert button. Save and Restart Click Your SafeHarbour IPSec VPN tun- nel is fully configured.

  • Page 136: Parameter Descriptions

    Parameter Descriptions The following tables describe SafeHarbour’s parameters that are used for an IPSec VPN tunnel configuration: Table 2: IPSec Configuration page parameters Field Description Name The Name parameter refers to the name of the configured tunnel. This is mainly used as an identifier for the administrator. The Name parameter is an ASCII value and is limited to 31 characters.

  • Page 137

    Security Table 3: IPSec Tunnel Details page parameters PAT Address If NAT is enabled, this field appears. You can specify a Port Address Trans- lation (PAT) address or leave the default all-zeroes (if Xauth is enabled). If you leave the default. the address will be requested from the remote router and dynamically applied to the Gateway.

  • Page 138

    Invalid SPI Enabling this allows the Gateway to re-establish the tunnel if either the Recovery Netopia Gateway or the peer gateway is rebooted. Soft MBytes Setting the Soft MBytes parameter forces the renegotiation of the IPSec Security Associations (SAs) at the configured Soft MByte value. The value can be configured between 1 and 1,000,000 MB and refers to data traffic...

  • Page 139

    Extended Authentication (XAuth), an extension to the Internet Key Exchange (IKE) protocol. The Xauth extension provides dual authentication for a remote user’s Netopia Gateway to establish a VPN, authorizing net- work access to the user’s central office. IKE establishes the tunnel, and Xauth authenticates the specific remote user's Gateway.

  • Page 140: Stateful Inspection, Stateful Inspection Firewall Installation Procedure

    Link: Stateful Inspection All computer operating systems are vulnerable to attack from outside sources, typically at the operating system or Internet Protocol (IP) layers. Stateful Inspection firewalls intercept and analyze incoming data packets to determine whether they should be admitted to your private LAN, based on multiple criteria, or blocked.

  • Page 141: Exposed Addresses

    Security UDP no-activity time-out: The time in seconds after which a UDP session will be ter- • minated, if there is no traffic on the session. • TCP no-activity time-out: The time in seconds after which an TCP session will be ter- minated, if there is no traffic on the session.

  • Page 142

    Add, Edit, or delete exposed addresses options are active only if NAT is disabled on a WAN interface. The hosts specified in exposed addresses will be allowed to receive inbound traf- fic even if there is no corresponding outbound traffic. •...

  • Page 143

    Security Click the button to add a new range of exposed addresses. Edit You can edit a previously configured range by clicking the button, or delete the entry Delete entirely by clicking the button. All configuration changes will trigger the Alert Icon. Click on the Alert icon.

  • Page 144: Stateful Inspection Options

    Stateful Inspection Options Stateful Inspection Parameters are active on a WAN interface only if you enable them on your Gateway. • Stateful Inspection: To enable stateful inspection on this WAN interface, check the checkbox. Default Mapping to Router: This is disabled by default. This option will allow the •...

  • Page 145: Open Ports In Default Stateful Inspection Installation

    Security Open Ports in Default Stateful Inspection Installation LAN (Private) WAN (Public) Port Protocol Description Interface Interface telnet Bootps Bootpc HTTP Netbios-ns Netbios-dgm SNMP ISAKMP Router...

  • Page 146: Firewall Tutorial, Basic Ip Packet Components

    Firewall Tutorial General firewall terms ☛ Note: Breakwater Basic Firewall (see “BreakWater Basic Firewall” on page 125) does not make use of the packet filter support and can be used in addition to filtersets Filter rule: A filter set is comprised of individual filter rules. Filter set: A grouping of individual filter rules.

  • Page 147: Basic Protocol Types

    Firewall Tutorial Protocol DATA User Data This header information is what the packet filter uses to make filtering decisions. It is important to note that a packet filter does not look into the IP data stream (the User Data from above) to make filtering decisions. Basic protocol types TCP: Transmission Control Protocol.

  • Page 148: Firewall Design Rules, Firewall Logic

    Example TCP/UDP Ports TCP Port Service UDP Port Service 20/21 SNMP Telnet TFTP SMTP News Firewall design rules There are two basic rules to firewall design: • “What is not explicitly allowed is denied.” • “What is not explicitly denied is allowed.” The first rule is far more secure, and is the best approach to firewall design.

  • Page 149: Implied Rules

    Firewall Tutorial and a packet goes through these rules destined for FTP, the packet would forward through the first rule (WWW), go through the second rule (FTP), and match this rule; the packet is allowed through. If you had this filter set for example..Allow WWW access;...

  • Page 150

    Example filter set page This is an example of the Netopia filter set page:...

  • Page 151: Filter Basics, Example Network

    A host address can be entered, but the applied subnet mask must be 32 bits (255.255.255.255). Netopia Firmware Version 7.6 has the ability to compare source and destination TCP or UDP ports. These options are as follows:...

  • Page 152: Example 1, Example 2, Example 3

    Incoming packet has the source address of 200.1.1.184. This incoming IP packet has a source IP address that does not match the network address in the Source IP Address field in Netopia Firmware Version 7.6. This rule will forward this packet because the packet does not match.

  • Page 153: Example 4, Example 5

    Firewall Tutorial Example 4 Filter Rule: 200.1.1.96 (Source IP Network Address) 255.255.255.240 (Source IP Mask) Forward = No (What happens on match) Incoming packet has the source address of 200.1.1.104. This rule does match and this packet will not be forwarded. Example 5 Filter Rule: 200.1.1.96...

  • Page 154: Packet Filter

    Netopia Firmware Version 7.6’s packet filters are designed to provide security for the Inter- net connections made to and from your network. You can customize the Gateway’s filter...

  • Page 155

    Firewall Tutorial admit or refuse TCP/IP connections from certain remote networks and specific hosts. You will also use filters to screen particular types of connections. This is commonly called fire- walling your network. Before creating filter sets, you should read the next few sections to learn more about how these powerful security tools work.

  • Page 156: Filter Priority

    Filter priority Continuing the customs inspectors analogy, imagine the packet inspectors lined up to examine a package. If the package matches the first inspector’s criteria, the package is either rejected or passed on to its destination, depending on the first inspector’s particular orders. In this case, the package first is never seen by the remaining inspectors.

  • Page 157

    199.211.211.17. If a match occurs, the packet is blocked. Here is what this rule looks like when implemented as a filter in Netopia Firmware Version 7.6: To understand this particular fil- ter, look at the parts of a filter. Parts of a filter A filter consists of criteria based...

  • Page 158: Port Numbers, Port Number Comparisons

    Port numbers A filter can also match a packet’s port number attributes, but only if the filter’s protocol type is set to TCP or UDP, since only those protocols use port numbers. The filter can be configured to match the following: •...

  • Page 159: Putting The Parts Together

    Firewall Tutorial Less Than: For the filter to match, the packet’s port number must be less than the port • number specified in the filter. • Less Than or Equal: For the filter to match, the packet’s port number must be less than or equal to the port number specified in the filter.

  • Page 160: Filtering Example #1

    Fwd: Shows whether the filter forwards (Yes) a packet or discards (No) it when there’s • a match. Src-IP: The packet source IP address to match. • • Src-Mask: The packet source subnet mask to match. Dst-IP: The packet destination IP address to match. •...

  • Page 161

    Firewall Tutorial • Source IP Address = 199.211.211.17 • Source IP address mask = 255.255.255.255 • Destination IP Address = 0.0.0.0 • Destination IP address mask = 0.0.0.0 • Using the tables on page 158, find the destination port and protocol numbers (the local Telnet port): •...

  • Page 162: Filtering Example #2

    Filtering example #2 Suppose a filter is configured to block all incoming IP packets with the source IP address of 200.233.14.0, regardless of the type of connection or its destination. The filter would look like this: This filter blocks any packets coming from a remote network with the IP network address 200.233.14.0.

  • Page 163: Design Guidelines

    Firewall Tutorial Design guidelines Careful thought must go into designing a new filter set. You should consider the following guidelines: • Be sure the filter set’s overall purpose is clear from the beginning. A vague purpose can lead to a faulty set, and that can actually make your network less secure. •...

  • Page 164: Working With Ip Filters And Filter Sets

    Working with IP Filters and Filter Sets To work with filters and filter sets, begin by accessing the filter set pages. ☛ NOTE: Make sure you understand how filters work before attempting to use them. Read the section “Packet Filter” on page 154.

  • Page 165: Example Filter Set, Example Filters

    Working with IP Filters and Filter Sets Enter new name for the filter set, for example Filter Set 1. Submit To save the filter set, click the button. The saved filter set is empty (contains no filters), but you can return to it later to add filters (see “Adding filters to a filter set”).

  • Page 166

    The Netopia Router Packets in Netopia Firmware Version 7.6 pass through an input filter if they originate from the WAN and through an output filter if they’re being sent out to the WAN. The process for adding input and output filters is exactly the same. The main difference between the two involves their reference to source and destination.

  • Page 167

    Working with IP Filters and Filter Sets The Filter Set page appears. ☛ Note: There are two buttons in this page, one for input filters and one for out- put filters. In this section, you’ll learn how to add an input filter to a filter set. Adding an output filter works exactly the same way, providing you keep the dif- ferent source and destination perspectives in mind.

  • Page 168

    If you want the filter to forward packets that match its criteria to the desti- Forward nation IP address, check the checkbox. If Forward is unchecked, packets matching the filter’s criteria will be discarded. Enter the Source IP address this filter will match on. You can enter a subnet or a host address.

  • Page 169

    Working with IP Filters and Filter Sets If Protocol Type is set to TCP or UDP, the settings for port comparison will appear. These settings only take effect if the Protocol Type is TCP or UDP. From the Source Port Compare pull-down menu, choose a comparison method for the filter to use on a packet’s source port number.

  • Page 170

    Modifying filters Edit To modify a filter, select a filter from the table and click the button. The Rule Entry page appears. The parameters in this page are set in the same way as the ones in the orig- inal Rule Entry page (see “Adding filters to a filter set”...

  • Page 171: Associating A Filter Set With An Interface

    Associating a Filter Set with an Interface Associating a Filter Set with an Interface Once you have created a filter set, you must associate it with an interface in order for it to be effective. Depending on its application, you can associate it with either the WAN (usu- ally the Internet) interface or the LAN.

  • Page 172

    You can repeat this process for both the WAN and LAN interfaces, to associate your filter sets. When you return to the Filter Sets page, it will display your interface associations.

  • Page 173: Policy-based Routing Using Filtersets

    Policy-based Routing using Filtersets Policy-based Routing using Filtersets Netopia Firmware Version 7.6 offers the ability to route IP packets using criteria other than the destination IP address. This is called policy-based routing. You specify the routing criteria and routing information by using IP filtersets to determine the forwarding action of a particular filter.

  • Page 174

    Idle Reset checkbox unchecked. Example: You want packets with the TOS low latency bit to go through VC 2 (via gateway 127.0.0.3 – the Netopia Gateway will use 127.0.0.x, where x is the WAN port + 1) instead of your normal gateway.

  • Page 175

    Policy-based Routing using Filtersets configure one filter to match the first type of packet and apply Force Routing. A subsequent filter is required to match and forward all other packets. Management IP traffic If the Force Routing filter is applied to source IP addresses, it may inadvert- ently block communication with the router itself.

  • Page 176: Security Log, Using The Security Monitoring Log

    Security Monitoring is a keyed feature. See page 184 for information concerning installing Netopia Software Feature Keys. Security Monitoring detects security-related events, including common types of malicious attacks, and writes them to the security log file. Using the Security Monitoring Log You can view the Security Log at any time.

  • Page 177

    Policy-based Routing using Filtersets The capacity of the security log is 100 security alert messages. When the log reaches capacity, subsequent messages are not captured, but they are noted in the log entry count.

  • Page 178: Timestamp Background

    Timestamp Background During bootup, to provide better log information and to support improved troubleshooting, a Netopia Gateway acquires the National Institute of Standards and Technology (NIST) Uni- versal Coordinated Time (UTC) reference signal, and then adjusts it for your local time zone.

  • Page 179: Install

    Install Install Button: Install From the Install toolbar button you can Install new Operating System Software and Feature Keys as updates become available. On selected models, you can install a Secure Sockets Layer (SSL V3.0) certificate from a trusted Certification Authority (CA) for authentication purposes. If this feature is available Install Certificate on your Gateway, the link will appear in the Install page as shown.

  • Page 180: Install Software, Updating Your Gateway's Netopia Firmware Version

    You install a new oper- ating system image in your unit from the Install Operating System Software page. For this process, the computer you are using to connect to the Netopia Gateway must be on the same local area network as the Netopia Gateway.

  • Page 181: Step 1: Required Files

    When you download your firmware upgrade from the Netopia website, be sure to download the latest User Guide PDF files. These are also posted on the Netopia website in the Docu- mentation Center. Confirm Netopia Firmware Image Files The Netopia firmware Image file is specific to the model and the product identification num-...

  • Page 182

    Enter the filename into the text box by using one of these techniques: The Netopia firmware file name begins with a shortened form of the version number and ends with the suffix “.bin” (for “binary”). Example: nta760.bin Open a. Click the Browse button, select the file you want, and click -or- b.

  • Page 183

    Your Netopia Gateway restarts with its new image. Verify the Netopia Firmware Release To verify that the Netopia firmware image has loaded successfully, use the following steps: Open a web connection to your Netopia Gateway from the computer on your LAN and return to the Home page.

  • Page 184: Install Keys, Use Netopia Software Feature Keys, Obtaining Software Feature Keys

    Gateway is restarted, the new feature's functionality becomes enabled. Use Netopia Software Feature Keys Netopia Gateway users obtain advanced product functionality by installing a software fea- ture key. This concept utilizes a specially constructed and distributed keycode (referred to as a feature key) to enable additional capability within the unit.

  • Page 185

    Install Click the Install Key button. Click the Restart toolbar button. The Confirmation screen appears.

  • Page 186: To Check Your Installed Features

    Click the Restart the Gateway link to confirm. To check your installed features: Click the Install toolbar button. Click the list of features link.

  • Page 187

    Install The System Status page appears with the information from the features link displayed below. You can check that the feature you just installed is enabled.

  • Page 188

    Link: Install Certificate Secure Sockets Layer (SSL) is a protocol for transmitting private information over the Inter- net. SSL uses two keys to encrypt data: a public key known to everyone and a private or secret key known only to the recipient of the message. SSL certificates are issued by trusted Certification Authorities (CAs).

  • Page 189

    Install The Install Certificate page appears. Browse to the location where you have saved your certificate and select the file, or type the full path. Click the Install Certificate button. Restart your Gateway.

  • Page 191: Chapter 4 Basic Troubleshooting

    CHAPTER 4 Basic Troubleshooting This section gives some simple suggestions for troubleshooting problems with your Gate- way’s initial configuration. Before troubleshooting, make sure you have • read the Quickstart Guide; • plugged in all the necessary cables; and • set your PC’s TCP/IP controls to obtain an IP address automatically.

  • Page 192: Status Indicator Lights

    Status Indicator Lights The first step in troubleshooting is to check the status indicator lights (LEDs) in the order outlined below. Netopia Gateway 2240N/2241N status indicator lights Internet Power Ethernet Action Green when power is on. if device malfunctions. Power...

  • Page 193

    Status Indicator Lights Netopia Gateway 2246N status indicator lights ETHER NET Internet Power Ethernet 1, 2, 3, 4 Action Green when power is on. if device malfunctions. Power Solid green when connected. Flash green when there is activity on Ethernet 1, 2, 3, 4 the LAN.

  • Page 194

    Netopia Gateway 2247NWG status indicator lights ETHER NET Power Internet Ethernet 1, 2, 3, 4 Wireless Action Green when power is on. if device malfunctions. Power Solid green when connected. Flash green when there is activity on Ethernet 1, 2, 3, 4 the LAN.

  • Page 195

    Status Indicator Lights Netopia Gateway 3340(N) status indicator lights Ethernet Link: Solid green when connected Ethernet Traffic: Flashes green when there is activity on the LAN DSL Traffic: Blinks green when traffic is sent/received over the WAN Power: Solid green...

  • Page 196

    Netopia Gateway 3341(N), 3351(N) status indicator lights Ethernet Link: Solid green when connected Ethernet Traffic: Flashes green when there is activity on the LAN DSL Traffic: Blinks green when traffic is sent/received over the WAN Power: Solid green when the power is on...

  • Page 197

    Status Indicator Lights Netopia Gateway 3342/3342N, 3352/3352N status indicator lights USB: Solid green when USB is connected otherwise, not lit DSL: Blinking green with no line attached or training, solid green when trained with the DSL line. ☛ Special patterns: •...

  • Page 198

    Netopia Gateway 3346(N), 3356(N) status indicator lights Power: Solid green when the power is on DSL Sync: Blinks green with no line attached or training, Solid green when trained with the DSL line LAN 1, 2, 3, 4: Solid green...

  • Page 199

    Status Indicator Lights Netopia Gateway 3347W, 3347 (N) WG status indicator lights Power Green when power is applied DSL SYNC Flashes green when training Solid green when trained Flashes green for DSL traffic LAN 1, 2, 3, 4 Solid green when connected to each port on the LAN.

  • Page 200

    Netopia Gateway MiAVo status indicator lights Front View Power - Green when power is on. DSL - Flashes green when training Solid green when trained Ethernet 1, 2, 3, 4 - Solid green when connected. Flash green when there is activity on the LAN.

  • Page 201: Led Function Summary Matrix

    Status Indicator Lights LED Function Summary Matrix Flashing Unlit Solid Green Solid Red Green No power Power on System failure Power No signal USB port con- Activity on the USB Active nected to PC USB cable No signal DSL line synched Attempting to DSL Sync with the DSLAM...

  • Page 202

    Note: EN Link light is inactive if only using USB. Make sure the you are using the Ethernet cable, not the DSL cable. The Ethernet cable is thicker than the standard telephone cable. Make sure the Ethernet cable is securely plugged into the Ethernet jack on the PC.

  • Page 203: Factory Reset Switch

    Keep in mind that all of your settings will need to be reconfigured. If you don't have a password, the only way to access the Netopia Gateway is the following: Referring to the following diagram, find the round Reset Switch opening.

  • Page 204

    3397GP Power Off/On Factory Reset Switch: 2247NWG Push to clear all settings 3347W/3357W Factory Reset Switch: Power Off / On Push to clear all settings 2240N Factory Reset Switch: Push to clear all settings Factory Reset Switch: Push to clear all settings 3341/3351 2241N Ethernet...

  • Page 205: Chapter 5 Advanced Troubleshooting

    CHAPTER 5 Advanced Troubleshooting Advanced Troubleshooting can be accessed from the Gateway’s Web UI. Point your browser http://192.168.1.254 . The main page displays the device status. (If this does not make the Web UI appear, then do a release and renew in Windows networking to see what the Gateway address really is.)

  • Page 206: Home

    Home Page The home page displays basic information about the Gateway. This includes the ISP User- name, Connection Status, Device Address, Remote Gateway Address, DNS-1, and DNS-2. If you are not able to connect to the Internet, verify the following: Item Description Local WAN IP Address...

  • Page 207

    Item Description Status of Connection ‘Waiting for DSL’ is displayed while the Gateway is training. This should change to ‘Up’ within two minutes. If not, make sure an RJ-11 cable is used, the Gateway is connected to the correct wall jack, and the Gateway is not plugged into a micro filter.

  • Page 208

    Item Description Date & Time If this is blank, you likely lack a network connection, or your NTP server information is incorrect. If all of the above seem correct, then access Expert Mode by clicking the Expert Mode link. Button: Troubleshoot Expert Mode Expert Mode has advanced troubleshooting tools that are used to pinpoint the exact source of a problem.

  • Page 209: System Status

    Link: System Status In the system status screen, there are several utilities that are useful for troubleshooting. Some examples are given in the following pages.

  • Page 210: Ports: Ethernet

    Link: Ports: Ethernet The Ethernet port selection shows the traffic sent and received on the Ethernet interface. There should be frames and bytes on both the upstream and downstream sides. If there are not, this could indicate a bad Ethernet cable or no Ethernet connection. Below is an example: Ethernet Driver Statistics - 10/100 Ethernet Type: 100BASET...

  • Page 211: Ports: Dsl

    Link: Ports: DSL The DSL port selection shows the state of the DSL line, whether it is up or down and how many times the Gateway attempted to train. The state should indicate ‘up’ for a working configuration. If it is not, check the DSL cable and make sure it is plugged in correctly and not connected to a micro filter.

  • Page 212: Ip: Interfaces

    Link: IP: Interfaces The IP interfaces selection shows the state and configuration information for your IP LAN and WAN interfaces. Below is an example: IP interfaces: Ethernet 100BT: ( up broadcast default rip-send v1 rip-receive v1 ) inet 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255 physical address 00-00-00-00-00-00 mtu 1500 PPP over Ethernet vcc1: ( up address-mapping broadcast default admin-disabled rip-send v1 rip-receive v1 )

  • Page 213

    Link: DSL: Circuit Configuration The DSL Circuit Configuration screen shows the traffic sent and received over the DSL line as well as the trained rate (upstream and downstream) and the VPI/VCI. Verify traffic is being sent over the DSL line. If not, check the cabling and make sure the Gateway is not connected to a micro filter.

  • Page 214: System Log: Entire

    IP address server initialization complete 00:00:00:00 L4 BR: Using saved configuration options 00:00:00:00 L4 BR: Netopia SOC OS version 7.3.0 (build r0) 00:00:00:00 L4 BR: Netopia-3000/9495032 (Netopia-3000, rev 1), PID 1205 00:00:00:00 L4 BR: last install status: Firmware installed successfully...

  • Page 215: Diagnostics

    Check PPP connect to PPPOE (vcc1) PASS Check IP connect to PPP (vcc1) PASS Pinging Gateway PASS ==== Checking Miscellaneous Check DNS- Query for netopia.com : SKIPPED Ping DNS Server Primary IP Address : SKIPPED TEST DONE The following table summarizes the possible results. CODE...

  • Page 216: Network Tools

    To use the NSLookup capability, type an address (domain name or IP address) in the text box and click the NSLookup button Example: Show the IP Address for grosso.com. Server : controller2.netopia.com Address : 143.137.137.9 Name : www.grosso.com Address : 192.150.14.120...

  • Page 217

    PING: The network tools section sends a PING from the Gateway to either the LAN or WAN to verify connectivity. A PING could be either an IP address (163.176.4.32) or Domain Name (www.netopia.com). To use the Ping capability, type a destination address (domain name or IP...

  • Page 218

    Below are some specific tests: Action If PING is not successful, possible causes are: From the Gateway's Network Tools page: Ping the internet default gateway IP DSL is down, DSL or ATM settings are incorrect; Gate- address way’s IP address or subnet mask are wrong; gateway router is down.

  • Page 219

    Example: Show the path to the grosso.com site. Result: It took 20 hops to get to the grosso.com web site.

  • Page 221: Chapter 6 Command Line Interface

    The Netopia Gateway operating software includes a command line interface (CLI) that lets you access your Netopia Gateway over a telnet connection. You can use the command line interface to enter and update the unit’s configuration settings, monitor its performance, and restart it.

  • Page 222: Overview

    Overview The CLI has two major command modes: SHELL and CONFIG. Summary tables that list the commands are provided below. Details of the entire command set follow in this sec- tion. SHELL Commands Command Status and/or Description to send ARP request atmping to send ATM OAM loopback clear...

  • Page 223

    Overview CONFIG Commands Command Verbs Status and/or Description delete Delete configuration list data help Help command option save Save configuration data script Print configuration data Set configuration data validate Validate configuration settings view View configuration data Keywords ATM options (DSL only) bridge Bridge options dhcp...

  • Page 224: Starting And Ending A Cli Session, Logging In, Ending A Cli Session

    Telnet. telnet <ip_address> You must know the IP address of the Netopia Gateway before you can make a telnet con- nection to it. By default, your Netopia Gateway uses 192.168.1.254 as the IP address for its LAN interface. You can use a Web browser to configure the Netopia Gateway IP address.

  • Page 225: Saving Settings, Using The Cli Help Facility, About Shell Commands, Shell Prompt, Shell Command Shortcuts

    SHELL Prompt When you are in SHELL mode, the CLI prompt is the name of the Netopia Gateway followed by a right angle bracket (>). For example, if you open a CLI connection to the Netopia Gate- Netopia-3000/9437188> way named “Netopia-3000/9437188,” you would see as your CLI prompt.

  • Page 226: Shell Commands, Common Commands

    Sends an Address Resolution Protocol (ARP) request to match the nnn.nnn.nnn.nnn IP address to an Ethernet hardware address. clear [yes] Clears the configuration settings in a Netopia Gateway. If you do not use the optional qualifier, you are prompted to confirm the clear command.

  • Page 227

    The test timed out without producing a result. Try running the test again. download [ server_address ] [ filename ] [confirm] This command installs a file of configuration parameters into the Netopia Gateway from a TFTP (Trivial File Transfer Protocol) server. The TFTP server must be accessible on your Ethernet network.

  • Page 228

    Adds the message in the message_string argument to the Netopia Gateway diagnostic log. loglevel [ level ] Displays or modifies the types of log messages you want the Netopia Gateway to record. If you enter the loglevel command without the optional level argument, the command line interface displays the current log level setting.

  • Page 229

    DNS information. ping [-s size ] [-c count ]{ hostname | ip_address } Causes the Netopia Gateway to issue a series of ICMP Echo requests for the device with the specified name or IP address. ping •...

  • Page 230

    Resets the Asynchronous Transfer Mode (ATM) statistics. reset crash Clears crash-dump information, which identifies the contents of the Netopia Gateway regis- ters at the point of system malfunction. reset dhcp server Clears the DHCP lease table in the Netopia Gateway.

  • Page 231

    SHELL Commands reset ipmap Clears the IPMap table (NAT). reset log Rewinds the diagnostic log display to the top of the existing Netopia Gateway diagnostic log. The reset log command does not clear the diagnostic log. The next show log com- mand will display information from the beginning of the log file.

  • Page 232

    Displays the most recent crash information, if any, for your Netopia Gateway. show dhcp agent Displays DHCP relay-agent leases. show dhcp server leases Displays the DHCP leases stored in RAM by your Netopia Gateway.

  • Page 233

    Displays the LAN Host Discovery Table of hosts on the wired or wireless LAN, and whether or not they are currently online. show ip routes Displays the IP routes stored in your Netopia Gateway. show ip state-insp Displays whether stateful inspection is enabled on an interface or not, exposed addresses and blocked packet statistics because of stateful inspection.

  • Page 234

    Displays the current status of a Netopia Gateway, the device's hardware and software revi- sion levels, a summary of errors encountered, and the length of time the Netopia Gateway has been running since it was last restarted. Identical to the status command.

  • Page 235

    SHELL Commands telnet { hostname | ip_address } [ port ] Lets you open a telnet connection to the specified host through your Netopia Gateway. • The hostname argument is the name of the device to which you want to connect; for telnet ftp.netopia.com...

  • Page 236: Wan Commands

    Use the segment argument to ping a neighbor switch. Use the end-to-end argument to ping a remote end node. reset dhcp client release [ vcc-id ] Releases the DHCP lease the Netopia Gateway is currently using to acquire the IP settings for the specified DSL port. The vcc-id identifier is an “index”...

  • Page 237: About Config Commands, Config Mode Prompt, Navigating The Config Hierarchy

    ) at the CLI SHELL prompt. CONFIG Mode Prompt When you are in CONFIG mode, the CLI prompt consists of the name of the Netopia Gate- way followed by your current node in the hierarchy and two right angle brackets (>>). For config...

  • Page 238

    Netopia-3000/9437188 (top)>> quit Netopia-3000/9437188 > • Moving from to a subnode — You can navigate from the top node to a subnode by entering the node name (or the significant letters of the node name) at the CONFIG prompt and pressing R .

  • Page 239: Entering Commands In Config Mode

    About CONFIG Commands Entering Commands in CONFIG Mode CONFIG commands consist of keywords and arguments. Keywords in a CONFIG command specify the action you want to take or the entity on which you want to act. Arguments in a CONFIG command specify the values appropriate to your site. For example, the CONFIG command set ip ethernet A ip_address ethernet A...

  • Page 240: Guidelines: Config Commands, Displaying Current Gateway Settings

    Step Mode: A CLI Configuration Technique The Netopia Gateway command line interface includes a step mode to automate the pro- cess of entering configuration settings. When you use the CONFIG step mode, the com- mand line interface prompts you for all required and optional information.

  • Page 241

    Error: Subnet mask is incorrect Global Validation did not pass inspection! You can use the validate command to verify your configuration settings at any time. Your Netopia Gateway automatically validates your configuration any time you save a modi- fied configuration.

  • Page 242: Config Commands, Dsl Commands, Atm Settings

    You can use the CLI to set up each ATM virtual circuit. set atm option {on | off } Enables the WAN interface of the Netopia Gateway to be configured using the Asynchro- nous Transfer Mode (ATM) protocol. set atm [vcc n ] option {on | off } Selects the virtual circuit for which further parameters are set.

  • Page 243

    CONFIG Commands the raw WAN (DSL) bit rate. The Maximum Burst Size (MBS) is the number of cells that can be sent at the PCR rate, after which the PVC must fall back to the SCR rate. set atm [vcc n ] qos sustained-cell-rate { 1 ... n } If QoS class is set to vbr, then specify the sustained-cell-rate that should apply to the specified virtual circuit.

  • Page 244: Bridging Settings, Common Commands

    Bridging lets the Netopia Gateway use MAC (Ethernet hardware) addresses to forward non- TCP/IP traffic from one network to another. When bridging is enabled, the Netopia Gateway maintains a table of up to 512 MAC addresses. Entries that are not used within 30 sec- onds are dropped.

  • Page 245: Dhcp Settings, Common Commands

    A device that acquires its IP address and other TCP/IP configuration settings from the Netopia Gateway can use the information for a fixed period of time (called the DHCP lease). Common Commands set dhcp option { off | server | relay-agent } Enables or disables DHCP services in the Netopia Gateway.

  • Page 246

    , specifies the last address in the DHCP address range. set dhcp lease-time lease-time If you selected server specifies the default length for DHCP leases issued by the Netopia Gateway. Enter lease time in dd:hh:mm:ss (day/hour/minute/second) format. set dhcp server-address ip_address If you selected relay-agent , specifies the IP address of the relay agent server.

  • Page 247: Dmt Settings, Dsl Commands

    CONFIG Commands DMT Settings DSL Commands set dmt type [ lite | dmt | ansi | multi | adsl2 | adsl2+ | readsl2 | adsl2anxm | adsl2+anxm ] Selects the type of Discrete Multitone (DMT) asynchronous digital subscriber line (ADSL) protocol to use for the WAN interface.

  • Page 248: Domain Name System Settings, Common Commands, Dynamic Dns Settings

    auto - The device will scan for standard telephone service (POTS). If it finds POTS, it dis- • ables metallic termination. If it does not find POTS during the search period, then metal- lic termination is enabled. disabled - There is no POTS detection, and metallic termination is disabled. •...

  • Page 249: Igmp Settings

    CONFIG Commands rent dynamically-assigned IP address. This allows you to get to the IP address assigned to your Gateway, even though your actual IP address may change as a result of a PPPoE con- nection to the Internet. set dynamic-dns option [ off | dyndns.org ] set dynamic-dns ddns-host-name myhostname .dyndns.org set dynamic-dns ddns-user-name myusername set dynamic-dns ddns-user-password myuserpassword...

  • Page 250: Ip Settings, Common Settings, Arp Timeout Settings, Dsl Settings

    Enables or disables TCP/IP services in the Netopia Gateway. You must enable TCP/IP ser- vices before you can enter other TCP/IP settings for the Netopia Gateway. If you turn off TCP/IP services and save the new configuration, the Netopia Gateway clears its TCP/IP settings.

  • Page 251

    { admin-disabled | none } Specifies restrictions on the types of traffic the Netopia Gateway accepts over the DSL vir- tual circuit. The admin-disabled argument means that access to the device via telnet, web, and SNMP is disabled. RIP and ICMP traffic is still accepted. The none argument means that all traffic is accepted.

  • Page 252: Ethernet Lan Settings

    A address ip_address Assigns an IP address to the Netopia Gateway on the local area network. The IP address you assign to the local Ethernet interface must be unique on your network. By default, the Netopia Gateway uses 192.168.1.254 as its LAN IP address.

  • Page 253

    If you specify v2-MD5, you must also specify a rip-send-key. Keys are ASCII strings with a maximum of 31 characters, and must match the other router(s) keys for proper operation of MD5 support. Depending on your network needs, you can configure your Netopia Gateway to support RIP- 1, RIP-2, or RIP-2MD5.

  • Page 254: Default Ip Gateway Settings, Ip-over-ppp Settings

    Specifies how the Netopia Gateway should route information to the default Gateway. If you select ip-address, you must enter the IP address of a host on a local or remote network. If you specify ppp, the Netopia unit uses the default gateway being used by the remote PPP peer.

  • Page 255

    Assigns an IP address to the virtual PPP interface. If you specify an IP address other than 0.0.0.0, your Netopia Gateway will not negotiate its IP address with the remote peer. If the remote peer does not accept the IP address specified in the ip_address argument as valid, the link will not come up.

  • Page 256

    [ vccn ] rip-send { off | v1 | v2 | v1-compat | v2-MD5 } Specifies whether the Netopia Gateway unit should use Routing Information Protocol (RIP) broadcasts to advertise its routing tables to routers on the other side of the PPP link. An extension of the original Routing Information Protocol (RIP-1), RIP Version 2 (RIP-2) expands the amount of useful information in the packets.

  • Page 257: Static Arp Settings, Igmp Forwarding, Ipsec Passthrough

    MAC addresses. Unlike dynamic ARP table entries, static ARP table entries do not time out. You can configure as many as 16 static ARP table entries for a Netopia Gateway. Use the following commands to add static ARP entries to the Netopia Gateway static ARP table:...

  • Page 258: Ip Prioritization, Differentiated Services (diffserv)

    IP Prioritization set ip prioritize [ off | on ] Allows you to support traffic that has the TOS bit set. This defaults to off. Differentiated Services (DiffServ) The commands in this section are supported beginning with Firmware Version 7.4.2. set diffserv option [ off | on ] Turns the DiffServ option off (default) or on.

  • Page 259

    CONFIG Commands set diffserv custom-flows name name protocol [ TCP | UDP | ICMP | other ] direction [ outbound | inbound | both ] start-port [ 0 - 49151 ] end-port [ 0 - 49151 ] inside-ip inside-ip-addr inside-ip-mask inside-ip-netmask outside-ip outside-ip-addr outside-ip-mask outside-ip-netmask qos [ off | assure | expedite ]...

  • Page 260: Sip Passthrough, Static Route Settings

    PPP link may make maintenance of dynamic routes problematic. You can configure as many as 32 static IP routes for a Netopia Gateway. Use the following commands to maintain static routes to the Netopia Gateway routing table:...

  • Page 261

    Specifies the IP address of the Gateway for the static route. The default Gateway must be located on a network connected to the Netopia Gateway configured interface. set ip static-routes destination-network net_address metric integer Specifies the metric (hop count) for the static route.

  • Page 262: Ipmaps Settings, Network Address Translation (nat) Default Settings

    Network Address Translation (NAT) Default Settings NAT default settings let you specify whether you want your Netopia Gateway to forward NAT traffic to a default server when it doesn’t know what else to do with it. The NAT default host function is useful in situations where you cannot create a specific NAT pinhole for a traffic...

  • Page 263: Network Address Translation (nat) Pinhole Settings

    NAT pinholes let you pass specific types of network traffic through the NAT interfaces on the Netopia Gateway. NAT pinholes allow you to route selected types of network traffic, such as FTP requests or HTTP (Web) connections, to a specific host behind the Netopia Gateway transparently.

  • Page 264: Pppoe /pppoa Settings

    [ 0 - 65535 ] Specifies the port number your Netopia Gateway should use when forwarding traffic of the specified type. Under most circumstances, you would use the same number for the exter- nal and internal port.

  • Page 265

    [vccn] lcp-echo-requests { on | off } Specifies whether you want your Netopia Gateway to send LCP echo requests. You should turn off LCP echoing if you do not want the Netopia Gateway to drop a PPP link to a nonre- sponsive peer.

  • Page 266

    [vccn] time-out integer If you specified a connection type of instant-on, specifies the number of seconds, in the range 30 - 3600, with a default value of 300, the Netopia Gateway should wait for commu- nication activity before terminating the PPP link.

  • Page 267: Ethernet Port Settings, Command Line Interface Preference Settings

    CONFIG Commands CHAP and specify the same name and secret on the Netopia Gateway before the link can be established. set ppp module [vccn] port-authentication option [ off | on | pap-only | chap-only ] Specifying on turns both PAP and CHAP on, or you can select PAP or CHAP. Specify the...

  • Page 268

    set preference more lines Specifies how many lines of information you want the command line interface to display at one time. The lines argument specifies the number of lines you want to see at one time. The range is 1-65535. By default, the command line interface shows you 22 lines of text before displaying the prompt: More …[y|n] ?.

  • Page 269: Port Renumbering Settings

    For example, if you set up a NAT pinhole to forward network traffic on Port 80 (HTTP) to another host, you would have to tell the Netopia Gateway to listen for configuration connection requests on a port number other than 80, such as 6080.

  • Page 270: Security Settings, Firewall Settings (for Breakwater Firewall), Safeharbour Ipsec Settings

    When connecting the Netopia unit in a telecommuting scenario, the corporate VPN settings will dictate the settings to be used in the Netopia unit. If a parameter has not been speci- fied from the other end of the tunnel, choose the default unless you fully understand the ramifications of your parameter choice.

  • Page 271

    CONFIG Commands set security ipsec tunnels name "123" tun-enable (on) {on | off} This enables this particular tunnel. Currently, one tunnel is supported. set security ipsec tunnels name "123" dest-ext-address ip-address Specifies the IP address of the destination gateway. set security ipsec tunnels name "123" dest-int-network ip-address Specifies the IP address of the destination computer or internal network.

  • Page 272

    set security ipsec tunnels name "123" IKE-mode pre-shared-key ("") {hex string} page 130 for details about SafeHarbour IPsec tunnel capability. Example: 0x1234 set security ipsec tunnels name "123" IKE-mode neg-method {main | aggressive} page 130 for details about SafeHarbour IPsec tunnel capability. Note: Aggressive Mode is a little faster, but it does not provide identity protection for nego- tiations nodes.

  • Page 273

    "123" IKE-mode invalid-spi-recovery { off | on } Enables the Gateway to re-establish the tunnel if either the Netopia Gateway or the peer gateway is rebooted. set security ipsec tunnels name "123" xauth enable {off | on } Enables or disables Xauth extensions to IPsec, when IKE-mode neg-method is set to aggressive.

  • Page 274

    set security ipsec tunnels name "123" local-id id_value Specifies the NAT local ID value as specified in the local-id-type for the specified IPsec tunnel, when Aggressive Mode is set. ☛ Note: If subnet is selected, the following two values are used instead: set security ipsec tunnels name "123"...

  • Page 275: Internet Key Exchange (ike) Settings

    CONFIG Commands Internet Key Exchange (IKE) Settings The following four IPsec parameters configure the rekeying event. set security ipsec tunnels name "123" IKE-mode ipsec-soft-mbytes (1000) {1-1000000} set security ipsec tunnels name "123" IKE-mode ipsec-soft-seconds (82800) {60-1000000} set security ipsec tunnels name "123" IKE-mode ipsec-hard-mbytes (1200) {1-1000000} set security ipsec tunnels name "123"...

  • Page 276

    Stateful Inspection Stateful inspection options are accessed by the security state-insp tag. set security state-insp [ ip-ppp | dsl ] vcc n option [ off | on ] set security state-insp ethernet [ A | B ] option [ off | on ] Sets the stateful inspection option off or on on the specified interface.

  • Page 277: Example

    CONFIG Commands set security state-insp udp-timeout [ 30 - 65535 ] Sets the stateful inspection UDP timeout interval, in seconds. set security state-insp xposed-addr exposed-address# " n " Allows you to add an entry to the specified list, or, if the list does not exist, creates the list for the stateful inspection feature.

  • Page 278: Packet Filtering Settings

    set security state-insp xposed-addr exposed-address# " n " start-port [ 1 - 65535 ] set security state-insp xposed-addr exposed-address# " n " end-port [ 1 - 65535 ] Packet Filtering Settings Packet Filtering settings are supported beginning with Firmware Version 7.4. Packet Filtering has two parts: •...

  • Page 279

    CONFIG Commands set security pkt-filter filterset filterset-name [ in | out ] index frc-rte [ on | off ] Turns forced routing on or off for the specified filter rule. A match on this rule will force a route for packets. The default is off. set security pkt-filter filterset filterset-name [ in | out ] index gateway ip_addr Specifies the gateway IP address for forced routed packets, if forced routing is enabled.

  • Page 280

    set security pkt-filter filterset filterset-name [ in | out ] index tos-mask value Specifies the TOS (Type Of Service) mask to match packets. The value for tos-mask can be from 0 – 255. set security pkt-filter filterset filterset-name [ in | out ] index protocol value Specifies the protocol value to match packets, the type of higher-layer Internet protocol the packet is carrying, such as TCP or UDP.

  • Page 281

    CONFIG Commands Operator Action Less than or equal to Equal to Greater than or equal to Greater than set security pkt-filter filterset filterset-name [ in | out ] index src-port value Specifies the source IP port to match packets (the port on the sending host that originated the packet, if the underlying protocol is TCP or UDP).

  • Page 282: Snmp Settings

    Identifies the system contact, such as the name, phone number, beeper number, or email address of the person responsible for the Netopia Gateway. You can enter up to 255 char- acters for the contact_info argument. You must put the contact_info argument in double-quotes if it contains embedded spaces.

  • Page 283: Snmp Notify Type Settings, System Settings

    Netopia-3000/9437188. A system name can be 1 – 255 characters long. Once you have assigned a name to your Netopia Gateway, you can enter that name in the Address text field of your browser to open a connection to your Netopia Gateway.

  • Page 284

    { off | low | medium | high | alerts | failures } Specifies the types of log messages you want the Netopia Gateway to record. All messages with a level equal to or greater than the level you specify are recorded. For example, if you specify set system diagnostic-level medium, the diagnostic log will retain medium-level informational messages, alerts, and failure messages.

  • Page 285

    A password can be as many as 8 characters. Passwords are case-sensitive. Passwords go into effect immediately. You do not have to restart the Netopia Gateway for the password to take effect. Assigning an administrator or user password to a Netopia Gateway does not affect communications through the device.

  • Page 286

    out, each heartbeat sequence will send out a total 20 heartbeats, spaced at 30 second intervals, and then sleep for 30 minutes. So to have the Gateway send out packets “forever”, this number can be set very high. If it is 1440 and the interval is 1 minute, say, the heartbeat will go out every minute for 1440 minutes, or one day, before sleep- ing.

  • Page 287

    [ on | off ] Enables or disables the Zero Touch option. Zero Touch refers to automatic configuration of your Netopia Gateway. The Netopia Gate- way has default settings such that initial connection to the Internet will succeed. If the zerotouch option is set to on, HTTP requests to any destination IP address except the IP address(es) of the configured redirection URL(s) will access a redirection server.

  • Page 288: Syslog, Default Syslog Installation Procedure

    Syslog set system syslog option [ off | on ] Enables or disables system syslog feature. If syslog option is on, the following commands are available: set system syslog host-nameip [ ip_address | hostname ] Specifies the syslog server’s address either in dotted decimal format or as a DNS name up to 64 characters.

  • Page 289

    CONFIG Commands set security state-insp eth B option on • Type the command to enable the router to drop fragmented packets set security state-insp eth B deny-fragments on Enabling syslog: • Type config • Type the command to enable syslog set system syslog option on •...

  • Page 290: Wireless Settings (supported Models)

    { off | at-startup | continuous } Specifies the wireless AutoChannel Setting for 802.11G models. AutoChannel is a feature that allows the Netopia Gateway to determine the best channel to broadcast automatically. For details, see “Advanced” on page set wireless default-channel { 1...14 }...

  • Page 291

    CONFIG Commands set wireless mode { both-b-and-g | b-only | g-only } Beginning with Netopia Firmware Version 7.5.1. specifies the wireless operating mode for connecting wireless clients: both-b-and-g, b-only, or g-only, and locks the Gateway in that mode. ☛ NOTE: If you choose to limit the operating mode to B or G only, clients using the mode you excluded will not be able to connect.

  • Page 292

    set wireless multi-ssid second-ssid-privacy { off | WEP | WPA-PSK | WPA-802.1x } set wireless multi-ssid third-ssid-privacy { off | WEP | WPA-PSK | WPA-802.1x } set wireless multi-ssid fourth-ssid-privacy { off | WEP | WPA-PSK | WPA-802.1x } Specifies the type of privacy enabled on multiple SSIDs when multi-ssid option is set to on.

  • Page 293: Wireless Privacy Settings

    CONFIG Commands set wireless multi-ssid second-ssid-wepkey { hexadecimal digits } set wireless multi-ssid third-ssid-wepkey { hexadecimal digits } set wireless multi-ssid fourth-ssid-wepkey { hexadecimal digits } Specifies a WEP key for the multiple SSIDs, when second-, third-, or fourth-ssid-privacy is set to WEP. For 40/64bit encryption, you need 10 digits; 26 digits for 128bit, and 58 digits for 256bit WEP.

  • Page 294

    protect your network and data from intruders. Note that 40bit is the same as 64bit and will work with either type of wireless client. The default is off. A single key is selected (see default-key) for encryption of outbound/transmitted packets. The WEP-enabled client must have the identical key, of the same length, in the identical slot (1..4) as the wireless Gateway, in order to successfully receive and decrypt the packet.

  • Page 295

    CONFIG Commands set wireless network-id privacy encryption-key1 { hexadecimal digits } set wireless network-id privacy encryption-key2 { hexadecimal digits } set wireless network-id privacy encryption-key3 { hexadecimal digits } set wireless network-id privacy encryption-key4 { hexadecimal digits } The encryption keys. Enter keys using hexadecimal digits. For 40/64bit encryption, you need 10 digits;...

  • Page 296: Wireless Mac Address Authorization Settings, Radius Server Settings

    Wireless MAC Address Authorization Settings set wireless mac-auth option { on | off } Enabling this feature limits the MAC addresses that are allowed to access the LAN as well as the WAN to specified MAC (hardware) addresses. set wireless mac-auth wrlss-MAC-list mac-address MAC-address_string Enters a new MAC address into the MAC address authorization table.

  • Page 297: Vlan Settings, Example

    You must save the changes, exit out of configuration mode, and restart the Gateway for the changes to take effect. Example: • Navigate to the VLAN item: Netopia-3000/9459252 (top)>> vlan Netopia-3000/9459252 (vlan)>> set vlan name (name) node list ... Select (name) node to modify from list, or enter new (name) to create.

  • Page 298

    Netopia-3000/9459252 (vlan)>> • To make the VLAN vlan1 routable add the port lan-uplink: Netopia-3000/9459252 (vlan)>> name vlan1 Netopia-3000/9459252 (vlan name "vlan1")>> set "vlan1" id (52) [ 1 - 4095 ]: type (by-port) [ by-port ]: admin-restricted (off) [ off | on ]: port (port) node list ...

  • Page 299: Upnp Settings, Dsl Forum Settings, Tr-064

    PCs using UPnP can retrieve the Gateway’s WAN IP address, and automatically create NAT port maps. This means that applications that support UPnP, and are used with a UPnP- enabled Netopia Gateway, will not need application layer gateway support on the Netopia Gateway to work through NAT. The default is on.

  • Page 300: Tr-069

    WAN link for some features and over the LAN for others. TR-069 allows a remote Auto-Config Server (ACS) to provision and manage the Netopia Gateway. TR-069 protects sensitive data on the Gateway by not advertising its presence, and by password protection.

  • Page 301

    CONFIG Commands On units that support SSL, the format for the ACS URL can also be: https:// some_url.com : port_number https:// 123.45.678.910 : port_number...

  • Page 302: Vdsl Settings

    VDSL Settings ☛ CAUTION! These settings are for very advanced users and lab technicians. Exercise extreme caution when modifying any of these settings. set vdsl sys-option [ 0x00 - 0xff ] sys-bandplan [ 0x00 - 0xff ] psd-mask-level [ 0x00 - 0xff ] pbo-k1_1 [ 0x00000000 - 0xffffffff ] pbo-k1_2 [ 0x00000000 - 0xffffffff ] pbo-k1_3 [ 0x00000000 - 0xffffffff ]...

  • Page 303: Vdsl Parameter Defaults

    CONFIG Commands VDSL Parameter Defaults Parameter Default Meaning sys-option 0x00 VDSL system option(bit0=ntr, 1=margin, 2=ini, 3=pbo, 4=tlan, 5=pbo) sys-bandplan 0x02 VDSL system bandplan(bp_3_998_4=2, bp4_997_3=3, bp5_997_3=4…) psd-mask-level 0x00 VDSL system psd mask(def=0, 1=ansim1cab, 2=ansim2cab, 3=etsim1cab, 4=etsim2cab) pbo-k1_1 0x00 VDSL system power back-off k1_1 pbo-k1_2 0x00 VDSL system power back-off k1_2...

  • Page 304: Vdsl Parameters Accepted Values

    VDSL Parameters Accepted Values Parameter Accepted Values sys-option Bit[0]: NTR_DISABLE Bit[1]: ALW_MARGIN_ADJUST. 1: the SNR margin for the optional band is reduced by up to 2.5 dB, but never below a minimum of 4 dB. Bit[2]: SUPPORT_INI Bit[4]: TLAN Enable Bit[5]: PBO Weak mode Enable (Applicable only when PBO Bit[3]=0.

  • Page 305

    CONFIG Commands VDSL Parameters Accepted Values Parameter Accepted Values sys-bandplan BP1_998_3 (0x00) BP2_998_3 (0x01) BP998_3B_8_5M (0x01) BP3_998_4 (0x02) BP998_4B_12M (0x02) BP4_997_3 (0x03) BP997_3B_7_1M (0x03) BP5_997_3 (0x04) BP6_997_4 (0x05) BP997_4B_7_1M (0x05) BP7_MXU_3 (0x06) FLEX_3B_8_5M (0x06) BP8_MXU_2 (0x07) BP9_998_2 (0x08) BP10_998_2 (0x09) BP998_2B_3_8M (0x09) BP11_998_2 (0x0A)

  • Page 306

    VDSL Parameters Accepted Values Parameter Accepted Values psd-mask-level 0x00 -- default mask (old gains from before) 0x01 -- ANSI M1 CAB 0x02 -- ANSI M2 CAB 0x03 -- ETSI M1 CAB 0x04 -- ETSI M2 CAB 0x05 -- ITU-T Annex F (Japan) 0x06 - ANSI M1 Ex 0x07 - ANSI M2 Ex 0x08 -- ETSI M1 Ex...

  • Page 307

    CONFIG Commands VDSL Parameters Accepted Values Parameter Accepted Values port-bandplan BP1_998_3 (0x00) BP2_998_3 (0x01) BP998_3B_8_5M (0x01) BP3_998_4 (0x02) BP998_4B_12M (0x02) BP4_997_3 (0x03) BP997_3B_7_1M (0x03) BP5_997_3 (0x04) BP6_997_4 (0x05) BP997_4B_7_1M (0x05) BP7_MXU_3 (0x06) FLEX_3B_8_5M (0x06) BP8_MXU_2 (0x07) BP9_998_2 (0x08) BP10_998_2 (0x09) BP998_2B_3_8M (0x09) BP11_998_2 (0x0A)

  • Page 308

    VDSL Parameters Accepted Values Parameter Accepted Values framing-mode HDLC – 0x80 AUTO – 0x90 ATM – 0x00 band-mod Bit 0, 1: Tx Cfg band 1- All tones on 2- All tones below 640 Khz are turned off 3- All tones below 1.1 Mhz are turned off Bit 2,3: Not used Bit 4,5: Rx Cfg band 1- All tones on...

  • Page 309

    CONFIG Commands VDSL Parameters Accepted Values Parameter Accepted Values rx-filter 0: using internal filter in Rx path 1: using K1 external filter in Rx path (for Korea VLR Application) 2: using U1 external filter in Rx path (for US / Korea VLR Application) 3: using H1 external filter in Rx path (for 100/100 Application) dying-gasp...

  • Page 311: Chapter 7 Glossary

    Glossary CHAPTER 7 10Base-T. IEEE 802.3 specification for Ethernet that uses unshielded twisted pair (UTP) wiring with RJ-45 eight-conductor plugs at each end. Runs at 10 Mbps. 100Base-T. IEEE 802.3 specification for Ethernet that uses unshielded twisted pair (UTP) wiring with RJ-45 eight-conductor plugs at each end. Runs at 100 Mbps.

  • Page 312

    ADSL. Asymmetric Digital Subscriber Line. Modems attached to twisted pair copper wiring that transmit 1.5-9 Mbps downstream (to the subscriber) and 16 -640 kbps upstream, depending on line distance. (Downstream rates are usually lower that 1.5Mbps in practice.) AH. The Authentication Header provides data origin authentication, connec- tionless integrity, and anti-replay protection services.

  • Page 313

    BRI. Basic Rate Interface. ISDN standard for provision of low-speed ISDN services (two B channels (64 kbps each) and one D channel (16 kbps)) over a single wire pair. bridge. Device that passes packets between two network segments accord- ing to the packets' destination address. broadcast.

  • Page 314

    Cable that lets you connect a port on one Ethernet hub to a port on another Ethernet hub. You can order an Ethernet crossover cable from Netopia, if needed. CSU/DSU. Channel Service Unit/Data Service Unit. Device responsible for connecting a digital circuit, such as a T1 link, with a terminal or data com- munications device.

  • Page 315

    Diffie-Hellman. A group of key-agreement algorithms that let two computers compute a key independently without exchanging the actual key. It can gen- erate an unbiased secret key over an insecure medium. diffserv. Differentiated Services. A method for controlling Quality of Service (QoS) queue priority settings.

  • Page 316

    encapsulation. Technique used to enclose information formatted for one protocol, such as AppleTalk, within a packet formatted for a different proto- col, such as TCP/IP. Encrypt Protocol. Encryption protocol for the tunnel session. Parameter values supported include NONE or ESP. encryption.

  • Page 317

    FTP. File Transfer Protocol. Application protocol that lets one IP node trans- fer files to and from another node. FTP server. Host on network from which clients can transfer files. -----H----- Hard MBytes. Setting the Hard MBytes parameter forces the renegotiation of the IPSec Security Associations (SAs) at the configured Hard MByte value.

  • Page 318

    The Netopia Gateway works like a network super traffic cop, inspecting and filter- ing out undesired traffic based on your security policy and resulting configu- ration.

  • Page 319

    -----K----- Key Management . The Key Management algorithm manages the exchange of security keys in the IPSec protocol architecture. SafeHarbour supports the standard Internet Key Exchange (IKE) -----L----- LCP. Link Control Protocol. Protocol responsible for negotiating connection configuration parameters, authenticating peers on the link, determining whether a link is functioning properly, and terminating the link.

  • Page 320

    An SSID differentiates one wireless network from another, so all access points and all devices attempting to connect to a spe- cific network must use the same SSID. Netopia Gateways support up to four SSIDs. SSIDs are also sometimes referred to as Network Names because they are names that identify wireless networks.

  • Page 321

    Aggressive Mode. Main mode requires 3 two-way message exchanges while Aggressive mode only requires 3 total message exchanges. null modem. Cable or connection device used to connect two computing devices directly rather than over a network. -----P----- packet. Logical grouping of information that includes a header and data. Compare frame, datagram.

  • Page 322

    PPP. Point-to-Point Protocol. Provides a method for transmitting datagrams over serial router-to-router or host-to-network connections using synchronous or asynchronous circuits. Pre-Shared Key. The Pre-Shared Key is a parameter used for authenticating each side. The value can be an ASCII or Hex and a maximum of 64 charac- ters.

  • Page 323

    route. Path through a network from one node to another. A large internet- work can have several alternate routes from a source to a destination. routing table. Table stored in a router or other networking device that records available routes and distances for remote network destinations. -----S----- SA Encrypt Type.

  • Page 324

    STATEFUL. The Netopia Gateway monitors and maintains the state of any network transaction. In terms of network request-and-reply, state consists of the source IP address, destination IP address, communication ports, and data sequence.

  • Page 325

    -----T----- telnet. IP protocol that lets a user on one host establish and use a virtual terminal connection to a remote host. TR-064. TR-064 is a LAN-side DSL Gateway configuration specification; an extension of UPnP. It defines more services to locally manage a Gateway. TR-069.

  • Page 326

    -----W----- WAN. Wide Area Network. Private network facilities, usually offered by pub- lic telephone companies but increasingly available from alternative access providers (sometimes called Competitive Access Providers, or CAPs), that link business network nodes. WWW. World Wide Web. -----X----- XAuth. Extended Authentication. An extension to the Internet Key Exchange (IKE) protocol, for IPSec tunnelling.

  • Page 327: Description, Dimensions, Communications Interfaces, Power Requirements, Environment, Operating Temperature, Storage Temperature

    2200-Series Wireless Models: 1.2"(3.0cm) H, 8.7" (22.0 cm) W, 5.2"(13.2cm) L Communications interfaces: The Netopia Gateways have an RJ-11 jack for DSL line connections or an RJ-45 jack for cable/DSL modem connections and 1 or 4–port 10/100Base-T Ethernet switch for your LAN connections. Some models have a USB port that can be used to connect to your PC;...

  • Page 328: Relative Storage Humidity, Software And Protocols, Software Media, Routing, Wan Support, Security, Diagnostics

    Relative storage humidity: 20 to 80% noncondensing Software and protocols Software media: Software preloaded on internal flash memory; field upgrades done via download to internal flash memory via TFTP or web upload. (does not apply to 3342/3352) Routing: TCP/IP Internet Protocol Suite, RIP WAN support: PPPoA, PPPoE, DHCP, static IP address Security:...

  • Page 329: Agency Approvals, North America, International, Regulatory Notices, European Community

    Regulatory notices European Community. This Netopia product conforms to the European Community CE Mark standard for the design and manufacturing of information technology equipment. This standard covers a broad area of product design, including RF emissions and immunity from electrical...

  • Page 330: Manufacturer's Declaration Of Conformance, United States, Service Requirements

    This restriction applies regardless of whether the equipment is in or our of warranty. It is the responsibility of users requiring service to report the need for service to our Company or to one of our authorized agents. Service can be obtained at Netopia, Inc., 6001 Shellmound Street, Emeryville, California, 94608. Telephone: 510-597-5400.

  • Page 331: Canada, Declaration For Canadian Users, Caution

    Manufacturer’s Declaration of Conformance ☛ Important This product was tested for FCC compliance under conditions that included the use of shielded cables and connectors between system components. Changes or modifica- tions to this product not authorized by the manufacturer could void your authority to operate the equipment.

  • Page 332: Australian Safety Information, Important Safety Instructions, Caution, Telecommunication Installation Cautions

    Important Safety Instructions Australian Safety Information The following safety information is provided in conformance with Australian safety requirements: Caution DO NOT USE BEFORE READING THE INSTRUCTIONS: Do not connect the Ethernet ports to a carrier or carriage service provider’s telecommunications network or facility unless: a) you have the written consent of the network or facility manager, or b) the connection is in accordance with a connection permit or connection rules.

  • Page 333: Cfr Part 68 Information, Fcc Requirements, Fcc Statements

    47 CFR Part 68 Information 47 CFR Part 68 Information FCC Requirements The Federal Communications Commission (FCC) has established Rules which permit this device to be directly connected to the telephone network. Standardized jacks are used for these connections. This equipment should not be used on party lines or coin phones. If this device is malfunctioning, it may also be causing harm to the telephone network;...

  • Page 334: Electrical Safety Advisory

    If this happens the telephone company will provide advance notice in order for you to make necessary modifications to maintain uninterrupted service. g) If trouble is experienced with this equipment, the Netopia 3300- or 2200-Series router, for repair or warranty information, please contact:...

  • Page 335: Chapter 9 Overview Of Major Capabilities

    Built-in DHCP and DNS proxy features minimize or eliminate the need to program any network configuration into your home personal computer. • “Management” on page 338 A Web server built into the Netopia Operating System makes setup and maintenance easy using standard browsers. Diagnostic tools facilitate troubleshooting. • “Security” on page 339 Network Address Translation (NAT), password protection, Stateful Inspection firewall...

  • Page 336: Wide Area Network Termination, Pppoe/pppoa (point-to-point Protocol Over Ethernet/atm), Instant-on Ppp

    While an Always On connection is convenient, it does leave your network permanently con- nected to the Internet, and therefore potentially vulnerable to attacks. Netopia's Instant On technology furnishes almost all the benefits of an Always-On connec- tion while providing two additional security benefits: •...

  • Page 337: Simplified Local Area Network Setup, Dns Proxy

    URL (Universal Resource Locator) as text to surf to a desired web- site. The Netopia DNS Proxy feature allows the LAN-side IP address of the Gateway to be used for proxying DNS requests from hosts on the LAN to the DNS Servers configured in the gateway.

  • Page 338: Management, Embedded Web Server, Diagnostics

    System and security logs • Diagnostics functions Once you have removed your Netopia Gateway from its packing container and powered the unit up, use any LAN attached PC or workstation running a common web browser applica- tion to configure and monitor the Gateway.

  • Page 339: Remote Access Control, Security, Password Protection, Network Address Translation (nat)

    Gateway. This access can be turned on or off in the Web interface. Password Protection Access to your Netopia device can be controlled through two access control accounts, Admin or User. The Admin, or administrative user, performs all configuration, management or mainte- •...

  • Page 340

    It routes packets received from remote networks to the correct computer on the LAN (Ethernet) interface. When NAT is OFF, a Netopia Gateway acts as a traditional TCP/IP router, all LAN com- • puters/devices are exposed to the Internet.

  • Page 341: Netopia Advanced Features For Nat, Internal Servers, Pinholes

    ☛ NOTE: 1. The default setting for NAT is ON. 2. Netopia uses Port Address Translation (PAT) to implement the NAT facility. 3. NAT Pinhole traffic (discussed below) is always initiated from the WAN side. Netopia Advanced Features for NAT Using the NAT facility provides effective LAN security.

  • Page 342

    Common TCP/IP protocols and ports are: FTP (TCP 21) telnet (TCP 23) SMTP (TCP 25) HTTP (TCP 80) SNMP (TCP 161, UDP 161) page 75 for How To instructions. Default Server This feature allows you to: • Direct your Gateway to forward all externally initiated IP traffic (TCP and UDP protocols only) to a default host on the LAN.

  • Page 343: Vpn Ipsec Pass Through, Ip-passthrough

    Security IP-Passthrough Netopia OS now offers an IP passthrough feature. The IP passthrough feature allows a sin- gle PC on the LAN to have the Gateway’s public address assigned to it. It also provides PAT (NAPT) via the same public IP address for all other hosts on the private LAN subnet.

  • Page 344: Vpn Ipsec Tunnel Termination, Stateful Inspection Firewall

    Typically, no special configuration is necessary to use the IPSec pass through feature. In the diagram, VPN PC clients are shown behind the Netopia Gateway and the secure server is at Corporate Headquarters across the WAN. You cannot have your secure server behind the Netopia Gateway.

  • Page 345: Index

    Index Navigating Prompt 225, Restart command SHELL mode Symbols View command !! command Command ARP 226, Ping Access the GUI Telnet Address resolution table Command line interface (see Administrative CLI) restrictions Community Administrator password 39, Compression, protocol 123, Concurrent Bridging/ Arguments, CLI Routing 104, CONFIG...

  • Page 346: Install Certificate

    DSL Forum settings output using 163, viewing firewall Echo request echo-period Embedded Web Server Ethernet address Ethernet statistics Hardware address hijacking Hop count HTTP traffic Feature Keys Obtaining filter parts ICMP Echo parts of IGMP Snooping filter priority Install filter set Install Certificate adding IP address 250,...

  • Page 347

    Install Software Quickstart 48, 50, Local Area Network Password Location, SNMP Administrator 39, 123, Logging in User 39, 123, lost echoes persistent-log Ping Ping command Pinholes 262, Magic number Planning Memory policy-based routing Metric Port authentication Multiple SSIDs port number Multiple Wireless SSIDs comparisons Wireless 62,...

  • Page 348

    Restrictions system heartbeat RIP 251, command Routing Information Protocol system name (RIP) 251, command system command system password Secondary nameserver command Secure Sockets Layer set system syslog Security wireless option filters command Security log Set wireless user-auth option bncp command 242, command 243, SHELL...

  • Page 349

    Syslog System contact, SNMP Wide Area Network System diagnostics Wireless system idle-timeout Zero Touch Telnet 224, Telnet command Telnet traffic TFTP TFTP server Toolbar TOS bit 157, TraceRoute 216, Trap Trivial File Transfer Protocol Truncation UPnP User name User password 39, 123, set atm 242, View command view config...

  • Page 351

    Netopia 2200 and 3300 series by Netopia Netopia, Inc. 6001 Shellmound Street Emeryville, CA 94608 April 10, 2006...

This manual also for:

3300 series, 3342, 3356

Comments to this Manuals

Symbols: 0
Latest comments: